—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Information Disclosure Vulnerability in Wing FTP Server

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: MEDIUM

Software Affected

WingFTP Server Versions prior to 7.4.4

Overview

A vulnerability has been reported in Wing FTP Server which could allow an authenticated attacker to obtain sensitive information on the target system.

Target Audience:

All organizations and individuals using WingFTP product.

Risk Assessment:

Exposure of sensitive internal server information.

Impact Assessment:

Sensitive information disclosure exposure of local server path.

Description

Wing FTP Server is a free FTP server software for Windows, Linux, and Mac OS. It supports multiple file transfer protocols, including FTP, FTPS, HTTP, HTTPS, SFTP and provides a web-based interface for administration.

The vulnerability exists in WingFTP Server due to improper validation of session cookie in endpoint. An attacker could exploit this vulnerability by sending a specially crafted request containing an oversized UID cookie value after authenticating on the target system.

Successful exploitation of this vulnerability could allow an authenticated attacker to get the local server path of the application on targeted system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47813.txt

Vendor Information

Wing FTP server

https://www.wftpserver.com

References

 

https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47813.txt

CVE Name

CVE-2025-47813

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmm6my8ACgkQ3jCgcSdc

ys+92A//dRKgDmRkKWnYnfFrySwZM8YboaQLZTe/voWalSykCfrcDrcPSiTEz4sd

4bSX1CBKUv0QNCqD3+q/KMTmhqADi/IQXvQ5p4qEwkb+QG3ieW9L2HSIdwkaUGBu

RFmAjCtONTO8bKGHIQdBs740RxG+r2dz8l3oMq3VlW4G8caYzpPZ8WITHOHVVN0k

Ibtmre2GFftAa15tg1iEbm5mrJu9LthFwOvgdI/8f4Ot3tm874aqNDdA6V9fCQqT

f5ElG7PTJlVM2UbB9FvTXwMpwPoeFX8UIvcMidLB3CFosdelrstqOg0cYZPwrJ+K

9GmQMDB6QK+shw8icjp+uGzO+OPqtdV5ZoQMRzmMGufuYi9siahOhAdN3gjslG1D

Su6+qkygOINjy+ONhgYXHCE+I5WVA1sFi4ginR9brIPwDqWMua8g5xf1ackmhoPy

jjCK/siQeEObCbDUzbpV39p2mK83DncyXxB70DnRmSJRKhhjMq7qP3ZAd5C0ucVa

Pty0vKhAOczfFjCDpZlLIwuhyMLDJFedevnuuzcmLZfRP+XvmV0yYg7cVSnxrT7+

KSOs/k76G7GK+x3Yrm5jfsZDH0UKDmCy/6tKZM6363+fCBGM9GGutv+wFVp3zd5y

pDzmYyqWlV86NrFZsUmCk3hzBGvZEoLL9cRjc4xof5UbxzoU66g=

=r2Ok

—–END PGP SIGNATURE—–