What is CVE-2025-47813?

CVE-2025-47813 is a publicly disclosed cybersecurity vulnerability with a MEDIUM severity rating and CVSS score of 4.3.

How to search for CVE vulnerabilities?

You can search the 4nuxd CVE database using CVE IDs, vendor names, product names, or severity levels.

CVE-2025-47813

MEDIUM4.3/ 10.0

Published: July 10, 2025 at 05:15 PM

Modified: July 17, 2025 at 01:17 PM

Source: cve@mitre.org

Vulnerability Description

loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.

CVSS Metrics

Base Score

4.3

Severity

MEDIUM

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Weaknesses (CWE)

CWE-209

Source: cve@mitre.org

AI Security Analysis

01 // Technical Summary

Wing FTP Server versions prior to 7.4.4 are vulnerable to a path disclosure vulnerability. By sending a specifically crafted HTTP request with a long value in the UID cookie, an attacker can obtain the full local installation path of the server. This information can be used to facilitate further attacks, including remote code execution and privilege escalation.

02 // Vulnerability Mechanism

Step 1: Target Identification: Identify a Wing FTP Server instance running a vulnerable version (prior to 7.4.4).

Step 2: Craft Request: Construct an HTTP GET request to loginok.html or any page that uses the UID cookie.

Step 3: Payload Delivery: Include a UID cookie in the request with an extremely long string value (e.g., a string of 1000+ 'A' characters).

Step 4: Request Submission: Send the crafted HTTP request to the target server.

Step 5: Information Disclosure: Analyze the server's response. The full installation path of Wing FTP Server will be revealed in the response body or headers (e.g., in an error message or debugging information).

03 // Deep Technical Analysis

The vulnerability lies within the loginok.html file of Wing FTP Server. The server fails to properly sanitize or validate the length of the data provided in the UID cookie. When a long string is provided as the value for the UID cookie, the server's response includes the full installation path in the error message or response header. This is likely due to a format string vulnerability or an unchecked buffer in how the server processes the cookie value when generating the response. The lack of input validation allows for the disclosure of sensitive information, which can be leveraged for further exploitation.