Skip to content
.ca
sign in
3 minhigh

CISA Adds One Known Exploited Vulnerability to Catalog

CISA has added CVE-2025-47813, an information disclosure vulnerability in Wing FTP Server, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. All organizations are strongly urged to prioritize timely remediation of this vulnerability to reduce exposure to cyberattacks.

Sens:ImmediateConf:highAnalyzed:2026-03-16reports

Authors: CISA

KEV CatalogCVE-2025-47813Information DisclosureWing FTP Server

Source:CISA

Key Takeaways

  • CISA added CVE-2025-47813 to the Known Exploited Vulnerabilities (KEV) Catalog.
  • The vulnerability affects Wing FTP Server and involves information disclosure.
  • There is evidence of active exploitation of this vulnerability in the wild.
  • Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability per BOD 22-01.

Affected Systems

  • Wing FTP Server

Vulnerabilities (CVEs)

  • CVE-2025-47813

Attack Chain

Threat actors are actively exploiting an information disclosure vulnerability (CVE-2025-47813) in Wing FTP Server. While specific attack chain details are not provided in the alert, successful exploitation likely allows attackers to access sensitive information from the affected public-facing servers.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the alert.

Detection Engineering Assessment

EDR Visibility: Low — Information disclosure vulnerabilities often do not involve executing malicious payloads or spawning suspicious processes that EDRs typically catch, unless followed by further exploitation. Network Visibility: Medium — Network sensors might detect anomalous data exfiltration or specific exploit payloads targeting the FTP server, depending on encryption and available signatures. Detection Difficulty: Moderate — Detecting information disclosure requires baseline knowledge of normal FTP traffic and identifying anomalous access patterns or exploit signatures.

Required Log Sources

  • FTP Server Application Logs
  • Network Traffic Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unusual or unauthorized access to sensitive files or directories within the Wing FTP Server environment.Application LogsCollectionMedium

Control Gaps

  • Lack of timely patching for public-facing applications

Key Behavioral Indicators

  • Anomalous FTP access patterns
  • Unexpected data transfer volumes from the FTP server

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Patch or update Wing FTP Server to the latest secure version mitigating CVE-2025-47813.

Infrastructure Hardening

  • Restrict access to the FTP server to trusted IP addresses if possible.
  • Implement Web Application Firewalls (WAF) or Intrusion Prevention Systems (IPS) with updated signatures for CVE-2025-47813.

User Protection

  • N/A

Security Awareness

  • Ensure vulnerability management teams are tracking and prioritizing CISA KEV additions.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application

Related