CVE-2025-47813 is a medium-severity vulnerability affecting Wing FTP Server versions prior to 7.4.4. The issue arises from the loginok.html page disclosing sensitive information through error messages when a specially crafted long value is used in the UID cookie. Specifically, the vulnerability is categorized under CWE-209, which involves the generation of error messages containing sensitive information. In this case, the server reveals the full local installation path of the application. This information disclosure occurs without requiring user interaction but does require some level of privileges (PR:L) as indicated by the CVSS vector. The vulnerability has a CVSS 3.1 base score of 4.3, reflecting a low to medium impact primarily on confidentiality, with no impact on integrity or availability. The attack vector is network-based (AV:N), and the attack complexity is low (AC:L), meaning an attacker can exploit this remotely with relative ease once they have the required privileges. Although no known exploits are currently reported in the wild, the disclosure of the full installation path can aid attackers in further reconnaissance and facilitate more targeted attacks such as directory traversal, privilege escalation, or exploitation of other vulnerabilities by revealing the server's directory structure and deployment details. The vulnerability does not require user interaction (UI:N) and does not affect the scope beyond the vulnerable component (S:U).

For European organizations using Wing FTP Server, this vulnerability poses a moderate risk primarily related to information leakage. Disclosure of the full local installation path can provide attackers with valuable intelligence about the server environment, potentially enabling more sophisticated attacks. While the vulnerability itself does not allow direct compromise of data integrity or availability, it can be a stepping stone for attackers to identify other weaknesses or misconfigurations. Organizations handling sensitive or regulated data, such as financial institutions, healthcare providers, or government agencies, may find this information disclosure particularly concerning as it could aid in targeted attacks. Additionally, compliance with European data protection regulations like GDPR requires minimizing unnecessary exposure of system details that could facilitate breaches. Therefore, even though the immediate impact is limited, the vulnerability could indirectly increase the risk of more severe security incidents if exploited in combination with other vulnerabilities.

To mitigate this vulnerability, European organizations should prioritize upgrading Wing FTP Server to version 7.4.4 or later, where the issue has been addressed. If immediate patching is not feasible, organizations should implement web application firewall (WAF) rules to detect and block requests with abnormally long UID cookie values that trigger the error message. Additionally, server-side error handling should be reviewed and hardened to avoid leaking sensitive information in error responses. Logging and monitoring should be enhanced to detect unusual access patterns or attempts to exploit this vulnerability. Restricting access to the FTP server management interface and enforcing least privilege principles can reduce the risk of exploitation since the vulnerability requires some level of privileges. Finally, conducting regular security assessments and penetration testing focused on information disclosure vulnerabilities will help identify and remediate similar issues proactively.