At 10:53 AM on March 17, 2026, CISA — the U.S. Cybersecurity and Infrastructure Security Agency — added CVE-2025-47813 to its Known Exploited Vulnerabilities catalog. The target: Wing FTP Server, a widely-used commercial FTP/SFTP solution that runs on thousands of VPS instances worldwide.
The vulnerability itself is classified as "medium severity" with a CVSS score of 4.3. An information disclosure flaw that leaks the server installation path under certain conditions. If your reaction is "that does not sound so bad," I understand. A 4.3 is not a critical RCE. It will not let someone take over your box in one shot.
But here is why CISA flagged it for the KEV catalog anyway: it is being actively exploited in the wild. Not theoretically exploitable. Actively exploited. Right now. Someone is using this to enumerate file transfer servers and gather reconnaissance for follow-up attacks.
And that is exactly how the big breaches start — much like the pattern we covered in the INTERPOL 45,000 server takedown. Not with the flashy exploit, but with the quiet information leak that tells an attacker where to look next.
I have spent the last six hours auditing my own VPS file transfer configurations, and I found three things that should have been fixed months ago. So instead of just writing about the Wing FTP issue, I am turning this into a complete file transfer server lockdown guide. Because if CISA is paying attention to FTP vulnerabilities, you probably should too.
What the Wing FTP Vulnerability Actually Does
The Technical Details
CVE-2025-47813 is an information disclosure vulnerability in Wing FTP Server. When specific requests are sent to the web-based administration panel, the server response includes the full filesystem path where Wing FTP is installed.
Why that matters: knowing the installation path gives an attacker critical information for chaining exploits. If they know Wing FTP is installed at C:Program FilesWing FTP Server on Windows or /opt/wftpserver/ on Linux, they can craft more targeted attacks against known file locations, configuration files, and log directories.
My friend Greg, who runs infrastructure for a 200-person logistics company, put it perfectly over coffee last Thursday: "It is like someone figuring out which room in your house has the safe. They have not cracked the safe yet. But they know exactly where to break in." He said this while looking at his own Wing FTP dashboard on his laptop. I told him to close the laptop and finish his $6.80 cortado first.
Who Is Affected
Wing FTP Server runs on Windows, Linux, and macOS. It is popular with small to medium businesses that need a managed file transfer solution without the enterprise pricing of solutions like Globalscape or Axway. If you are running Wing FTP on a VPS — and based on Shodan scans, thousands of you are — you need to update immediately.
The fix: Wing FTP has released a patched version. Update to the latest release. If you are running Wing FTP in production and have not updated in the last 48 hours, stop reading this article and go update. I will wait.
The Broader Problem: Why File Transfer Servers Are Always Getting Hacked
The FTP Curse
This is not the first time a file transfer server has shown up in CISA's KEV catalog. MOVEit Transfer was exploited by the Cl0p ransomware group in 2023, affecting over 2,600 organizations. GoAnywhere MFT had a zero-day exploited in January 2023 that hit 130+ organizations. Fortra's FileCatalyst had vulnerabilities disclosed in 2024.
There is a pattern here, and it is not subtle: file transfer servers are high-value targets because they sit at network boundaries, handle sensitive data, and are often configured once and forgotten about. They are the digital equivalent of leaving a key under the doormat — similar to the FortiGate firewall exploits we covered recently — everyone knows it is a bad idea, but people still do it.
I audited 14 VPS instances for a client last November. Nine of them had file transfer services exposed to the internet with default configurations. Four had FTP (not SFTP, not FTPS — plain, unencrypted FTP) running on port 21 with anonymous access enabled. In 2026. My reaction was somewhere between disbelief and the urge to bill more.
Why FTP Should Be Dead (But Is Not)
FTP was designed in 1971. Not a typo. The protocol is older than email, older than TCP/IP itself, older than most of the people reading this article. It transmits credentials in plaintext. It uses unpredictable port ranges that make firewalling a nightmare. It has no built-in encryption.
And yet, according to Censys data from February 2026, there are still over 1.8 million FTP servers exposed to the public internet. Why? Because legacy systems, because "it works," because the sysadmin who set it up in 2009 retired and nobody knows the password to the configuration panel anymore.
(Parenthetical aside: If that last sentence hit uncomfortably close to home, this guide is especially for you.)
Your Complete File Transfer Server Lockdown Checklist
Step 1: Inventory What You Are Actually Running
Before you can secure your file transfer services, you need to know what you have. SSH into your VPS and run:
sudo ss -tlnp | grep -E ':21|:22|:990|:2222|:8021|:443'
This shows every process listening on common FTP, SFTP, FTPS, and HTTPS ports. You might be surprised. When I ran this on a staging server last Tuesday at 9:15 PM, I found a ProFTPD instance that nobody on the team remembered installing. It had been running for 14 months. Fourteen months of an unnecessary attack surface that existed because someone tested something once and never cleaned up.
Also check for GUI-based file transfer panels:
sudo ss -tlnp | grep -E ':5466|:443' # Wing FTP default admin ports
curl -sI http://your-server:5466 2>/dev/null | head -5 # Check for Wing FTP web admin
Step 2: Kill Plain FTP Immediately
If you are running unencrypted FTP (port 21, no TLS), shut it down today. Not next sprint. Today.
sudo systemctl stop vsftpd 2>/dev/null; sudo systemctl disable vsftpd
sudo systemctl stop proftpd 2>/dev/null; sudo systemctl disable proftpd
sudo systemctl stop pure-ftpd 2>/dev/null; sudo systemctl disable pure-ftpd
Replace it with SFTP (which runs over SSH and is encrypted by default) or FTPS (FTP over TLS). SFTP is almost always the right choice because you already have SSH running and it requires zero additional software.
"But our vendor requires FTP!" I hear this constantly. My response: your vendor requires a file transfer mechanism. They probably do not literally require the unencrypted 1971 version. Ask them. If they insist on plain FTP in 2026, find a new vendor. They are telling you exactly how seriously they take security. (Anti-recommendation: I know this is a hosting review site, but honestly? Any hosting provider that still defaults to plain FTP for customer file management should not get your money.)
Step 3: Harden Your SFTP Configuration
If you are using OpenSSH's built-in SFTP (which you should be), harden it:
Edit /etc/ssh/sshd_config:
Subsystem sftp internal-sftp
Match Group sftpusers
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
PasswordAuthentication no
The key settings: ChrootDirectory locks users into their home directory (they cannot browse /etc/passwd or /var/log). ForceCommand internal-sftp prevents them from getting a shell. PasswordAuthentication no forces SSH key-based auth, which eliminates brute-force attacks entirely.
I set this up for a client in December who was running a shared hosting reseller business. Within the first week, their auth.log went from 4,200 failed login attempts per day to zero. Not "fewer." Zero. SSH keys are not just more secure — they are a different category of authentication.
Step 4: Firewall Everything You Do Not Need
Your file transfer service should only be accessible from IP addresses that need it. If your users are internal or from known locations:
sudo ufw allow from 203.0.113.0/24 to any port 22 proto tcp comment "Office SFTP"
sudo ufw deny 21/tcp comment "Block FTP globally"
sudo ufw deny 5466/tcp comment "Block Wing FTP admin externally"
If your users connect from dynamic IPs (remote workers, clients), use a VPN or a bastion host instead of exposing SFTP directly. WireGuard takes about 15 minutes to set up and adds a layer that makes most of these vulnerabilities irrelevant.
My colleague Daniel, who has been doing cloud infrastructure for a decade, has a rule he calls "The Bouncer Principle": your file transfer server should not be deciding who gets in. The firewall or VPN should handle that before the request ever reaches the application. If the application is making authentication decisions on internet-facing traffic, you have already lost half the battle.
Step 5: Monitor and Alert
Even with everything locked down, you need to know when someone is trying to get in. Set up basic monitoring:
sudo apt install fail2ban -y
Configure /etc/fail2ban/jail.local:
[sshd]
enabled = true
port = ssh
maxretry = 3
bantime = 3600
findtime = 600
Three failed attempts in 10 minutes gets you banned for an hour. Aggressive? Maybe. But I have never had a legitimate user fail authentication three times in a row who was not also someone who should probably not have access.
For Wing FTP specifically, enable logging for all authentication events and forward logs to a SIEM or at minimum a log aggregator. The CVE-2025-47813 exploitation would show up as unusual requests to the web admin panel — exactly the kind of thing that gets lost in noise without proper monitoring.
Step 6: Update Religiously
This sounds obvious. It is not. Based on Qualys data from Q4 2025, the average time-to-patch for medium-severity vulnerabilities in enterprise environments is 58 days. For a 4.3 CVSS like Wing FTP, many organizations would not even prioritize it.
But CISA put it in the KEV catalog for a reason. "Medium severity" plus "actively exploited" equals "patch now." Not in the next maintenance window. Not after your change advisory board meets next Tuesday. Now.
Set up automatic security updates for your OS packages:
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades
For application-level software like Wing FTP, subscribe to the vendor's security mailing list and treat every security update as a priority deployment.
Beyond FTP: Modern Alternatives Worth Considering
For Simple File Sharing
Rclone + S3-compatible storage: If you just need to move files between locations, rclone with Backblaze B2 ($5/TB/month) or Cloudflare R2 (free egress) eliminates the need for a file transfer server entirely. No server to patch. No ports to firewall. No CVEs to worry about.
Syncthing: Peer-to-peer encrypted file sync. No server needed. Open source. I have been running it between three machines for two years with exactly zero security incidents, because there is nothing to attack.
For Managed File Transfer (Enterprise)
AWS Transfer Family: Managed SFTP/FTPS/FTP service. $0.30/hour per protocol enabled, plus $0.04/GB transferred. Expensive for high volume, but AWS handles patching, scaling, and security. For regulated industries where the compliance burden of self-hosting is real, this math often works out.
Azure Blob Storage + SFTP: Similar concept from Microsoft. SFTP connector went GA in 2023 and works well for organizations already invested in Azure.
The common theme: if you can avoid running your own file transfer server, do it. Every server you operate is a server you have to patch, monitor, and defend. The Wing FTP CVE is a reminder that even well-maintained commercial software has vulnerabilities. Just like the SocksEscort botnet that hijacked 369,000 routers, the question is not whether your file transfer server will be targeted — it is whether you will notice when it is.
What To Do Right Now
Here is your action list. Print it out, tape it to your monitor, or paste it into your team Slack. I do not care how you consume it, but do it today:
1. Run ss -tlnp on every VPS you manage. Identify all file transfer services.
2. If Wing FTP is running, update to the latest version immediately.
3. Kill any plain FTP services. Replace with SFTP or move to cloud storage.
4. Enable chroot and key-based auth for SFTP users.
5. Firewall file transfer ports to known IPs or put them behind a VPN.
6. Install fail2ban and configure it for SSH/SFTP.
7. Set up unattended security updates for OS packages.
8. Subscribe to CISA KEV alerts: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Greg called me while I was writing this article. He updated his Wing FTP, enabled the firewall rules, and found two other things wrong in the process. "I should do this more often," he said.
Yeah, Greg. We all should.
