← back
CVE-2025-47813

CVE-2025-47813

CVSS 4.3 MEDIUMEPSS 56.4%● KEVCWE-209
In short

Wing FTP Server reveals where it is installed on the computer when someone tampers with a cookie. This information leak could help an attacker plan further attacks.

Technical detail

CWE-209 information disclosure vulnerability in loginok.html: improper input validation on the UID cookie parameter causes the application to expose the full local installation path in error messages or responses. Requires attacker to craft a malicious UID cookie value; impacts confidentiality by disclosing installation directory which may aid reconnaissance for subsequent attacks.

Summary generated and translated by AI from the official description.
loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected products
wftpserver · Wing FTP Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47813.txthttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-47813https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/https://www.wftpserver.com