CISA Adds Wing FTP Server Information Disclosure Flaw to KEV Catalog
CISA added Wing FTP Server vulnerability CVE-2025-47813 to its Known Exploited Vulnerabilities (KEV) catalog, warning that the flaw is being actively exploited and requiring Federal Civilian Executive Branch agencies to remediate it by March 30, 2026 under BOD 22-01. The issue affects Wing FTP Server versions prior to 7.4.4 and stems from improper handling of an overly long UID cookie in loginok.html, which can cause the server to disclose the application's full local installation path during web authentication.
Although CVE-2025-47813 is an information disclosure issue rather than a standalone remote code execution bug, reporting indicates it can support attacker reconnaissance and may be chained with other Wing FTP Server flaws in broader attack paths. The vendor patched the vulnerability in May 2025 in version 7.4.4, alongside CVE-2025-47812 and CVE-2025-27889, and researcher Julien Ahrens previously published proof-of-concept details showing how the path disclosure could aid exploitation. Organizations using Wing FTP Server, not just federal agencies, should verify they are no longer running vulnerable versions and review exposure of web-based authentication components.
Sources
Related Stories
CISA Alerts on Active Exploitation of Gladinet and CWP Vulnerabilities
CISA has issued an alert regarding the active exploitation of two critical vulnerabilities: a local file inclusion/remote code execution (LFI/RCE) flaw in *Gladinet CentreStack* and *Triofox* (CVE-2025-11371), and an OS command injection vulnerability in *Control Web Panel* (CWP) (CVE-2025-48703). Both vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) Catalog following evidence of in-the-wild attacks, and are considered significant risks for organizations, especially those in the federal enterprise. Federal Civilian Executive Branch (FCEB) agencies are mandated by Binding Operational Directive (BOD) 22-01 to remediate these vulnerabilities by the specified due date to protect against ongoing threats. CISA strongly recommends that all organizations, not just federal agencies, prioritize patching these vulnerabilities as part of their vulnerability management practices to reduce exposure to cyberattacks leveraging these flaws.
4 months agoCISA Adds Gladinet CentreStack and CWP Control Web Panel Vulnerabilities to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities—CVE-2025-11371 in Gladinet CentreStack/Triofox and CVE-2025-48703 in Control Web Panel (CWP)—to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. CVE-2025-11371 is a local file inclusion flaw in Gladinet CentreStack and Triofox that allows unauthenticated access to system files, with reports from Huntress indicating that threat actors have already targeted at least three organizations by running reconnaissance commands via Base64-encoded payloads. CVE-2025-48703 is an unauthenticated remote code execution vulnerability in CWP, exploitable via shell metacharacters in the `t_total` parameter of a filemanager request, though there are currently no public reports of this flaw being weaponized in real-world attacks. CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary patches by November 25, 2025, to mitigate these risks. Both Gladinet and Huntress have issued alerts and recommended workarounds for the actively exploited CentreStack/Triofox vulnerability, such as disabling the temp handler in the UploadDownloadProxy’s web configuration. The addition of these vulnerabilities to the KEV catalog underscores the urgency for organizations using these platforms to implement security updates and monitor for signs of exploitation, especially as technical details for the CWP flaw have been publicly disclosed, increasing the risk of future attacks.
4 months ago
CISA Adds Windows Desktop Window Manager Information Disclosure (CVE-2026-20805) to KEV After Active Exploitation
**CISA added Microsoft Windows Desktop Window Manager (DWM) vulnerability `CVE-2026-20805` to the Known Exploited Vulnerabilities (KEV) Catalog** after confirming it is being exploited in the wild, triggering mandatory remediation requirements for U.S. federal civilian agencies under *BOD 22-01*. Agencies were directed to apply patches by **February 3**. The flaw is described as an **information disclosure** issue in DWM that leaks small pieces of memory data (including a user-mode memory address associated with a remote ALPC port), and exploitation requires **local access** to the targeted system. Although the bug does not directly provide code execution, reporting notes it can materially weaken system defenses by enabling attackers to **undermine Address Space Layout Randomization (ASLR)** and improve the reliability of follow-on exploitation when chained with a separate execution vulnerability. Microsoft released the fix as part of the first Patch Tuesday of 2026 (roughly **112–114 CVEs** depending on whether Chromium-related fixes are included), but **did not disclose details** about the in-the-wild exploitation or any additional components involved in observed exploit chains, limiting defenders’ ability to proactively hunt for related activity.
2 months ago