Overview
Actively Exploited. CVE-2025-47813 is an information disclosure vulnerability in Wing FTP Server. The loginok.html endpoint does not properly validate the value of the UID session cookie. When an attacker supplies a cookie value longer than the maximum path size of the underlying operating system, an error message is triggered that discloses the full local server installation path of the application.
While the information disclosure itself is low-severity, this vulnerability is part of a critical exploitation chain alongside CVE-2025-47812 (pre-auth RCE via NULL byte Lua injection) that enables full remote code execution as root (Linux) or NT AUTHORITY\SYSTEM (Windows). This chain is confirmed to be actively exploited in the wild.
Part of a Critical Exploitation Chain
This CVE was discovered during a penetration test by RCE Security researcher Julien Ahrens alongside three other vulnerabilities in Wing FTP Server. Together, they form a critical attack chain:
| CVE | Severity | Description | Role in Chain |
|---|---|---|---|
| CVE-2025-47812 | CRITICAL | Pre-Auth RCE via NULL byte authentication bypass + Lua code injection into session files | Primary RCE exploit |
| CVE-2025-47813 | MEDIUM | Full path disclosure via overlong UID cookie | Reconnaissance — leaks server path to aid exploitation |
| CVE-2025-47811 | — | Overly permissive service running as root/SYSTEM by default | Privilege escalation |
| CVE-2025-27889 | — | Password leak via downloadpass.html open redirect |
Credential theft |
Chain Impact: An attacker with anonymous FTP access can achieve unauthenticated remote code execution as root/SYSTEM by: (1) leaking the server path via CVE-2025-47813, (2) exploiting a NULL byte authentication bypass in c_CheckUser() to inject Lua code into session files via CVE-2025-47812, and (3) triggering execution of the injected code through any authenticated web endpoint.
Vulnerability Description
The loginok.html endpoint handles authentication for Wing FTP Server's web interface. It reads the UID cookie to manage session state. When this cookie value exceeds the maximum path length of the underlying operating system (e.g., 260 characters on Windows), the application attempts to create or access a session file using the cookie value as part of the file path. This operation fails and triggers an error message that includes the full local installation path of the Wing FTP Server, such as C:\WingFTP\ or /opt/wftpserver/.
The disclosed path information is valuable to attackers because it aids in crafting payloads for CVE-2025-47812, where Lua code is injected into session files stored on the server's filesystem. Knowledge of the exact installation path removes guesswork for file-based attack vectors.
An attacker sends a POST request to /loginok.html with a UID cookie containing an overlong value (hundreds of characters). The server's session file handling concatenates the installation path with the session directory and the UID value, exceeding the OS path limit and causing an unhandled error that leaks the full path.
Affected Products
Wing FTP Server is available for Windows, Linux, and macOS — all platforms are affected.
| Product | Vulnerable Versions | Fixed Version |
|---|---|---|
| Wing FTP Server | All versions before 7.4.4 | 7.4.4 (May 14, 2025; current latest: 8.x) |
Remediation
- Upgrade Wing FTP Server to version 7.4.4 or later.
- Disable anonymous access if not required — anonymous users can trigger this and the related RCE chain.
- Restrict web interface access — limit the web client/admin interface to trusted networks via firewall rules.
- Review server logs for POST requests to
/loginok.htmlwith abnormally longUIDcookie values.
Detection: Monitor HTTP access logs for requests to /loginok.html with UID cookies exceeding ~260 characters. Check the session/ directory for suspicious session files containing Lua code (indicates CVE-2025-47812 exploitation). Look for NULL bytes (%00) in POST parameters to loginok.html — a signature of the RCE chain.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-47813 |
| Vendor / Product | Wing FTP — Wing FTP Server |
| NVD Published | 2025-07-10 |
| NVD Last Modified | 2026-03-16 |
| CVSS 3.1 Score | 4.3 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| Severity | MEDIUM |
| CWE | CWE-209 |
| CISA KEV Added | 2026-03-16 |
| CISA KEV Deadline | 2026-03-30 |
| Known Ransomware Use | No |
| Affected Versions | All versions before 7.4.4 |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-05-01 | Vulnerability discovered by Julien Ahrens (RCE Security) during penetration test |
| 2025-05-10 | MITRE assigns CVE-2025-47813 |
| 2025-05-12 | Vendor contacted — confirms as critical bug |
| 2025-05-14 | Wing FTP Server v7.4.4 released with fix |
| 2025-06-30 | Full disclosure — exploit chain write-up published by RCE Security |
| 2025-07-10 | CVE-2025-47813 published on NVD |
| 2026-03-16 | Added to CISA Known Exploited Vulnerabilities catalog — confirms active exploitation |
| 2026-03-30 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2025-47813 | Vulnerability Database |
| RCE Security Advisory — CVE-2025-47813 | Security Advisory |
| RCE Security — Full Exploit Chain Write-up (CVE-2025-47812) | Security Research |
| Wing FTP Server Release Notes | Vendor Advisory |
| CISA KEV Catalog Entry | US Government |