The US Cybersecurity and Infrastructure Security Agency (CISA) has officially urged US federal agencies to secure their Wing FTP Server instances against an actively exploited vulnerability that could be chained in remote code execution (RCE) attacks.

Now tracked as CVE-2025-47813, the vulnerability allows threat actors with low privileges to discover the full installation path of the application on unpatched servers.

This looks serious. The developers of Wing FTP Server, a cross-platform FTP server, claim that their software is used by more than 10,000 customers worldwide, including the US Air Force, Airbus, Sony, Reuters, and Sephora.

“Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie,” explains CISA.

Apparently, this flaw can be chained with another critical remote code execution vulnerability, CVE-2025-47812, and an information disclosure flaw, CVE-2025-27889, which can be used to steal user passwords.

The agency is giving Federal Civilian Executive Branch agencies two weeks to secure their systems. CISA has warned all defenders, including those in the private sector, to patch their servers against potential cyberattacks as soon as possible.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the agency warned.

According to Andrew Obadiaru, the Chief Information Security Officer (CISO) at cybersecurity firm Cobalt, this is a textbook example of how attackers don’t need novel exploits to be effective.

Attackers are combining lower-severity weaknesses with known exploits to create a much more serious compromise path.

“Instead, they chain together known weaknesses, starting with something as seemingly low-impact as information disclosure to map out the environment and identify paths to deeper compromise. The real issue is not the existence of these vulnerabilities, but the lag between disclosure, patching, and remediation across organizations,” said Obadiaru.

“When a medium-severity flaw becomes the first step in a multi-stage attack leading to remote code execution, it underscores how defenders need to think in terms of attack paths, not individual CVEs.”

To Dale Hoak, CISO at RegScale, what stands out is how quickly a vulnerability that looks minor on paper can become operationally significant once it shows up in the Known Exploited Vulnerabilities Catalog and active exploitation is confirmed.

“Security teams often prioritize patching based on severity scores, but adversaries prioritize based on opportunity and accessibility,” explained Hoak.

“In this case, the real risk isn’t just the information disclosure flaw itself. It’s how easily it can be chained with an existing RCE vulnerability to escalate impact.”

According to Hoak, that’s actually a pattern we’re seeing more often: attackers combining lower-severity weaknesses with known exploits to create a much more serious compromise path. This highlights a persistent gap in many vulnerability programs.

---

Unlock more exclusive Cybernews content on YouTube.