CVE-2025-47813 is an information disclosure vulnerability identified in Wing FTP Server versions before 7.4.4. The issue arises from the loginok.html page, which improperly handles a long value in the UID cookie, causing the server to reveal the full local installation path of the application in its error message. This behavior corresponds to CWE-209, where error messages inadvertently expose sensitive information that could be leveraged by attackers. The vulnerability is remotely exploitable over the network without requiring user interaction, but it does require low-level privileges (PR:L), indicating that some form of limited authentication or access is necessary. The disclosed path information can provide attackers with valuable insights into the server's directory structure, potentially facilitating further attacks such as privilege escalation, targeted exploitation of other vulnerabilities, or crafting more effective social engineering attacks. The CVSS v3.1 base score is 4.3, reflecting a medium severity primarily due to the confidentiality impact and ease of exploitation. There are no known exploits in the wild at the time of publication, and no patches have been linked yet, although an update to version 7.4.4 or later is expected to address the issue. The vulnerability highlights the importance of secure error handling and input validation in web applications, especially those exposed to the internet like FTP servers.

The primary impact of CVE-2025-47813 is the disclosure of sensitive internal information, specifically the full local installation path of the Wing FTP Server application. While this does not directly compromise system integrity or availability, it undermines confidentiality and can significantly aid attackers in reconnaissance efforts. By knowing the exact directory structure, attackers can tailor subsequent attacks more effectively, such as locating configuration files, identifying potential privilege escalation vectors, or exploiting other vulnerabilities that depend on path knowledge. For organizations worldwide, this could increase the risk of targeted attacks against their FTP infrastructure, especially if combined with other vulnerabilities or weak access controls. The requirement for low privileges limits the scope somewhat, but in environments where multiple users have limited access, this could still be exploited internally or by attackers who have gained minimal footholds. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent future exploitation. Organizations relying on Wing FTP Server for file transfer services, particularly those handling sensitive or regulated data, could face increased exposure to information leakage and subsequent attacks if unpatched.

1. Upgrade Wing FTP Server to version 7.4.4 or later as soon as the patch is available to eliminate the vulnerability. 2. Until patching is possible, restrict access to the FTP server to trusted networks and users to reduce the risk of exploitation. 3. Implement strict input validation on cookies and other user-supplied data to prevent malformed or excessively long values from triggering error conditions that leak information. 4. Configure the server and web application to suppress detailed error messages in production environments, ensuring that internal paths and system details are not exposed to users. 5. Employ web application firewalls (WAFs) or intrusion detection systems (IDS) to monitor and block suspicious requests that include abnormal cookie values or attempt to trigger error conditions. 6. Conduct regular security audits and penetration testing focused on error handling and information disclosure to identify and remediate similar issues proactively. 7. Educate administrators and developers on secure coding practices, emphasizing the importance of not revealing sensitive information in error messages.