Wing FTP Server, Path Disclosure, CVE-2025-47813 (Medium)

Listen to this Post

The vulnerability exists in the `loginok.html` endpoint of Wing FTP Server versions prior to 7.4.4. It is triggered when an attacker, who must have a valid logged-in session, supplies an overly long value in the `UID` cookie . The application fails to properly validate the length of this cookie value. When the submitted value exceeds the maximum path size allowed by the underlying operating system, the server generates an error message . Crucially, this error message does not sanitize the output and inadvertently discloses the full local installation path of the Wing FTP Server application . This information disclosure is classified as CWE-209: Generation of Error Message Containing Sensitive Information . While the vulnerability itself only reveals a system path, it provides attackers with valuable reconnaissance data that can be used to facilitate the exploitation of other, more severe vulnerabilities like CVE-2025-47812, a critical unauthenticated RCE flaw also patched in the same version .

dailycve form:

Platform: Wing FTP Server
Version: before 7.4.4
Vulnerability : Path Disclosure
Severity: Medium
date: 2026-03-16

Prediction: Patch by 2026-03-30

What Undercode Say:

Analytics:

The vulnerability is straightforward to exploit, requiring only a valid session cookie and a long string. Its value lies in chaining it with other exploits . The publication of proof-of-concept (PoC) code by Julien Ahrens of RCE Security increased the risk of exploitation . CISA’s addition of this CVE to its Known Exploited Vulnerabilities (KEV) catalog on March 16, 2026, confirms active exploitation in the wild and mandates patching for federal agencies . Given this directive, a widespread increase in scanning and exploitation attempts is highly likely.

Exploit:

A proof-of-concept exploit involves manipulating the `UID` cookie in a request to loginok.html. The following `curl` command demonstrates how an attacker would send an overly long cookie value to trigger the path disclosure.

Generate a very long string (e.g., 5000 characters) to use as the cookie value
long_string=$(printf '%05000s' | tr ' ' 'A')
Send a request to the loginok.html endpoint with the long UID cookie
This assumes you have a valid session ID (e.g., from a previous login)
curl -v "http://<target-server>:<port>/loginok.html" \
-H "Cookie: UID=$long_string; SessionID=<valid_session_id>"

In a successful exploit, the server’s response would include an error message revealing the full installation path, such as `Error: Unable to write to log file ‘C:\Program Files\Wing FTP Server\logs\…’` on Windows or a similar path on Linux.

Protection from this CVE:

  1. Patch Immediately: Upgrade Wing FTP Server to version 7.4.4 or later, which contains the fix for this vulnerability .
  2. Network Segmentation: Restrict access to the FTP server’s web interface to trusted internal networks only, limiting exposure to potential attackers.
  3. Monitor Logs: Monitor web server logs for requests containing abnormally long cookie values, which could indicate attempted exploitation.
  4. Principle of Least Privilege: Ensure user accounts are granted only the minimum necessary privileges. Since this flaw requires a logged-in session, limiting the number of users with access reduces the attack surface.

Impact:

Successful exploitation results in the disclosure of the full local installation path of the Wing FTP Server . This information reveals the file system structure and the directory where the application is installed. While not directly compromising the server, this knowledge is a critical step in the attack chain. It allows an attacker to map the internal environment and can be used to precisely target other vulnerabilities, such as CVE-2025-47812, which could lead to full remote code execution with SYSTEM or root privileges .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top