CVE-2025-47813: Wing FTP Server Information Disclosure Added to KEV

On March 16, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) Catalog to include a significant flaw affecting Wing FTP Server. According to the official CISA announcement, this vulnerability, identified as CVE-2025-47813, is currently being leveraged in active cyberattacks. This addition to the KEV catalog mandates that Federal Civilian Executive Branch (FCEB) agencies prioritize remediation under Binding Operational Directive (BOD) 22-01.

Technical Overview of CVE-2025-47813

Wing FTP Server is a professional, multi-protocol file transfer server that supports FTP, HTTP, FTPS, HTTPS, and SFTP. Because of its wide range of supported protocols and administrative features, it is a frequent target for actors seeking to gain a foothold within a network. The CVE in question, CVE-2025-47813, is classified as an information disclosure vulnerability.

Information disclosure flaws allow unauthorized users to gain access to data that is not intended for them. In the context of a file transfer server, this could include user credentials, configuration files, system paths, or even the contents of private directories. Such data is invaluable for an APT or other malicious actors during the reconnaissance phase of an attack. By gathering internal system details, attackers can more effectively plan for Lateral Movement or Privilege Escalation once an initial entry point is secured.

Strategic Implications of KEV Status

The inclusion of a vulnerability in the KEV catalog is a significant event for SOC teams and vulnerability management programs. For a flaw to be listed, CISA must have evidence of active exploitation in the wild. This shifts the vulnerability from a theoretical risk to a confirmed threat. While the CVSS score may vary depending on the environment, the KEV status overrides standard prioritization metrics by highlighting that the exploit code is not only available but is being successfully utilized by adversaries.

In many cases, an information disclosure vulnerability serves as a precursor to a more destructive RCE or a Ransomware deployment. Attackers use the disclosed information to bypass security controls or identify other unpatched systems within the environment. Therefore, Wing FTP Server information disclosure vulnerability mitigation must be treated with the same urgency as a remote code execution patch.

How to Detect CVE-2025-47813 Exploit Activity

Detecting exploitation attempts requires a combination of log analysis and network monitoring. SIEM administrators should look for abnormal HTTP/S requests or FTP commands that deviate from established baselines. To effectively detect CVE-2025-47813 exploit activity, defenders should monitor for:

• Unexpected requests to administrative interfaces or configuration endpoints.
• Successful authentication events followed by attempts to access sensitive system files outside the standard user directory.
• Log entries indicating unauthorized directory listing or the download of configuration metadata.

Mitigation and Remediation Recommendations

To remediate Wing FTP Server CVE-2025-47813, administrators must apply the security updates provided by the vendor. This is the primary and most effective way to address the underlying code flaw. Beyond patching, organizations should adopt a Zero Trust architecture to limit the impact of any single point of failure.

In addition to patching, security teams should:

1. Audit Logs: Review Wing FTP Server logs for any suspicious activity dating back several weeks to ensure no IoC is present.
2. Network Segmentation: Ensure the FTP server is isolated from the most sensitive parts of the internal network to prevent easy Lateral Movement.
3. Endpoint Protection: Deploy EDR solutions on the server hosting the FTP service to detect post-exploitation behavior.

By following these steps and prioritizing the remediation of KEV vulnerabilities, organizations can significantly reduce their risk profile against modern threat actors.