How can organizations mitigate the risk associated with CVE-2025-47812?

Organizations should immediately update Wing FTP Server to version 7.4.4 or later, as this version addresses the vulnerability. Additionally, monitoring logs for abnormal activity and disabling anonymous FTP access can further mitigate risk.

Why did CISA add CVE-2025-47812 to its KEV catalog?

CISA added CVE-2025-47812 to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation in the wild, emphasizing the need for prompt remediation to protect systems from potential compromise.

Critical Wing FTP Server Vulnerability Exploited: Immediate Action Required

Q: What is CVE-2025-47812?

CVE-2025-47812 is a critical vulnerability in Wing FTP Server that allows unauthenticated attackers to execute arbitrary Lua code via null byte injection in the username parameter, leading to remote code execution with elevated privileges.

A severe vulnerability in Wing FTP Server (CVE-2025-47812) is being actively exploited, allowing remote code execution. Organizations must update to version 7.4.4 immediately to mitigate this risk.

Published: March 17, 2026

Share this on:

Executive Summary

In July 2025, a critical vulnerability (CVE-2025-47812) was discovered in Wing FTP Server, allowing unauthenticated attackers to execute arbitrary Lua code via null byte injection in the username parameter. This flaw enables remote code execution with elevated privileges, potentially leading to full system compromise. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on July 14, 2025, with a remediation deadline of August 4, 2025. Organizations are urged to update to Wing FTP Server version 7.4.4 or later to mitigate this risk. (gbhackers.com)

The active exploitation of this vulnerability underscores the persistent threat posed by unpatched software vulnerabilities. It highlights the importance of timely patch management and continuous monitoring to prevent potential system compromises and data breaches.

Why This Matters Now

The active exploitation of CVE-2025-47812 in Wing FTP Server highlights the critical need for organizations to promptly apply security patches. Delayed remediation can lead to severe consequences, including unauthorized access and data breaches. This incident serves as a reminder of the importance of maintaining up-to-date systems to protect against emerging threats.

Attack Path Analysis

An attacker exploited a vulnerability in Wing FTP Server to gain unauthorized access, escalated privileges to execute arbitrary code, moved laterally within the network, established command and control channels, exfiltrated sensitive data, and caused operational disruptions.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Mediuminferred

Initial Compromise

Description

The attacker exploited CVE-2025-47812, a critical remote code execution vulnerability in Wing FTP Server, by injecting a null byte into the username field during login, allowing unauthenticated access and code execution.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2025-47813
CVSS 4.3
An information disclosure vulnerability in Wing FTP Server before version 7.4.4 allows authenticated remote attackers to obtain the full local installation path of the application by sending a long value in the UID cookie to loginok.html.
Affected Products:
Wing FTP Software Wing FTP Server – < 7.4.4
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-47813 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-47813 https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47813.txt

MITRE ATT&CK® Techniques

Initial Access

T1190

Exploit Public-Facing Application

Resource Development

T1588.006

Obtain Capabilities: Vulnerabilities

Defense Evasion

T1211

Exploitation for Defense Evasion

Discovery

T1083

File and Directory Discovery

Reconnaissance

T1592.002

Gather Victim Host Information: Software

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities

Control ID: 6.2

The exploitation of CVE-2025-47813 indicates that the system was not adequately protected against known vulnerabilities, violating the requirement to protect all system components from known vulnerabilities.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests deficiencies in the organization's cybersecurity policy, particularly in identifying and mitigating vulnerabilities in a timely manner, as required by the regulation.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach highlights weaknesses in the ICT risk management framework, specifically in the identification and mitigation of vulnerabilities, which is a key requirement under DORA.

CISA ZTMM 2.0 – Data Security

Control ID: Pillar 3: Data

The information disclosure vulnerability indicates inadequate data security measures, contravening the principles of the Zero Trust Maturity Model's Data Security pillar.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident demonstrates a failure to implement appropriate cybersecurity risk management measures to prevent known vulnerabilities from being exploited, as mandated by the NIS2 Directive.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Information Technology/IT

Wing FTP vulnerability enables server path disclosure, compromising IT infrastructure security and exposing sensitive system information to attackers.

Financial Services

Information disclosure vulnerability threatens secure file transfer operations, potentially exposing sensitive financial data and violating regulatory compliance requirements.

Health Care / Life Sciences

FTP server path leakage creates HIPAA compliance risks, potentially exposing protected health information through compromised file transfer systems.

Government Administration

CISA's KEV listing indicates critical government infrastructure risk from Wing FTP exploitation, requiring immediate patching and security assessments.

Sources

CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Pathshttps://thehackernews.com/2026/03/cisa-flags-actively-exploited-wing-ftp.html
Verified

CVE-2025-47813 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-47813

Verified

Known Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-47813

Verified

Frequently Asked Questions

CVE-2025-47812 is a critical vulnerability in Wing FTP Server that allows unauthenticated attackers to execute arbitrary Lua code via null byte injection in the username parameter, leading to remote code execution with elevated privileges.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: While Aviatrix CNSF may not prevent the initial exploitation of application vulnerabilities, it would likely limit the attacker's ability to leverage the compromised server to access other network segments.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Aviatrix Zero Trust Segmentation would likely limit the attacker's ability to exploit elevated privileges to access other critical systems or data.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Aviatrix East-West Traffic Security would likely limit the attacker's ability to move laterally by enforcing strict segmentation and monitoring internal traffic.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Aviatrix Multicloud Visibility & Control would likely limit the attacker's ability to establish and maintain command and control channels by monitoring and controlling outbound connections.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit the attacker's ability to exfiltrate data by controlling and monitoring outbound data flows.

Impact (Mitigations)

While Aviatrix CNSF may not prevent the initial compromise, it would likely limit the attacker's ability to escalate privileges, move laterally, and exfiltrate data, thereby reducing the overall impact of the attack.

Impact at a Glance

Affected Business Functions

File Transfer Services
Data Management

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Potential exposure of server installation paths, which could aid attackers in further exploitation.

Recommended Actions

• Implement regular vulnerability scanning and timely patch management to address known vulnerabilities like CVE-2025-47812.
• Enforce zero trust segmentation to limit lateral movement within the network.
• Deploy inline intrusion prevention systems (IPS) to detect and block exploit attempts.
• Establish robust egress security policies to monitor and control outbound traffic.
• Enhance threat detection capabilities to identify and respond to anomalous activities promptly.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Critical Wing FTP Server Vulnerability Exploited: Immediate Action Required

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2025-47813

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

Obtain Capabilities: Vulnerabilities

Exploitation for Defense Evasion

File and Directory Discovery

Gather Victim Host Information: Software

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Data Security

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Information Technology/IT

Financial Services

Health Care / Life Sciences

Government Administration

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads