Wing FTP Server Information Disclosure via Error Messages (CVE-2025-47813)

union isfuzzy=true
(
    W3CIISLog
    | where csUriStem contains "wftpserver" or csHost contains "wftpserver"
    | where scStatus in (500, 400, 401, 403, 530)
    | where scBytes > 500
    | project TimeGenerated, cIP, csHost, csUriStem, scStatus, scBytes, csUserAgent, csMethod
),
(
    CommonSecurityLog
    | where DeviceVendor contains "Wing" or DeviceProduct contains "WingFTP" or DeviceProduct contains "Wing FTP"
    | where Activity contains "error" or Activity contains "disclosure" or Message contains "stack" or Message contains "exception"
    | project TimeGenerated, SourceIP, DestinationIP, DestinationPort, Activity, Message, DeviceVendor, DeviceProduct
),
(
    Syslog
    | where ProcessName contains "wftpd" or SyslogMessage contains "Wing FTP"
    | where SyslogMessage contains "error" or SyslogMessage contains "exception" or SyslogMessage contains "traceback" or SyslogMessage contains "stack trace"
    | project TimeGenerated, HostName, HostIP, ProcessName, SyslogMessage, SeverityLevel
)
| extend AlertDetails = bag_pack("CVE", "CVE-2025-47813", "Severity", "high", "TacticId", "TA0007")
| order by TimeGenerated desc

index=* (sourcetype=ftp OR sourcetype=wftpserver OR sourcetype=wing_ftp OR source=*wingftp* OR source=*wftpserver*)
| eval is_error=if(match(status, "^(4|5)") OR match(_raw, "(?i)(error|exception|stack trace|traceback|internal server error)"), 1, 0)
| eval has_disclosure=if(match(_raw, "(?i)(path|directory|version|config|permission denied|no such file|stack|exception at|line \d+)"), 1, 0)
| where is_error=1
| bin _time span=5m
| stats count as error_count, sum(has_disclosure) as disclosure_hits, values(src_ip) as source_ips, values(status) as error_codes, values(_raw) as raw_messages by _time, host
| where error_count >= 5 OR disclosure_hits >= 1
| eval risk_score=case(disclosure_hits >= 3, 90, disclosure_hits >= 1, 70, error_count >= 20, 60, true(), 40)
| sort -risk_score
| table _time, host, source_ips, error_count, disclosure_hits, error_codes, risk_score

sequence by host.name with maxspan=10m
  [network where event.type == "connection" and destination.port in (21, 990, 989) and
   (process.name like~ "wftpd*" or process.name like~ "wingftp*" or process.executable like~ "*Wing FTP*")]
  [process where event.type == "start" and
   (process.name like~ "wftpd*" or process.parent.name like~ "wftpd*") and
   process.args_count > 0]
  [any where event.dataset == "system.syslog" and
   (message like~ "*error*" or message like~ "*exception*" or message like~ "*stack trace*") and
   (message like~ "*path*" or message like~ "*version*" or message like~ "*config*")]

SELECT
    DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
    sourceip,
    destinationip,
    destinationport,
    username,
    "eventName",
    "Message",
    logsourcename(logsourceid) AS log_source,
    category,
    QIDNAME(qid) AS event_name,
    magnitude
FROM events
WHERE
    (
        logsourcetypename(devicetype) ILIKE '%ftp%'
        OR logsourcename(logsourceid) ILIKE '%wing%'
        OR logsourcename(logsourceid) ILIKE '%wftp%'
        OR "Message" ILIKE '%Wing FTP%'
    )
    AND (
        "Message" ILIKE '%error%'
        OR "Message" ILIKE '%exception%'
        OR "Message" ILIKE '%stack%'
        OR "Message" ILIKE '%traceback%'
        OR category IN (5018, 5019, 5020)
    )
    AND (
        "Message" ILIKE '%path%'
        OR "Message" ILIKE '%version%'
        OR "Message" ILIKE '%config%'
        OR "Message" ILIKE '%permission%'
        OR "Message" ILIKE '%internal%'
    )
LAST 6 HOURS
ORDER BY starttime DESC
LIMIT 500

_sourceCategory=ftp OR _sourceCategory=wing_ftp OR _sourceName=*wftpserver* OR _sourceName=*wingftp*
| where %"message" matches "*error*" OR %"message" matches "*exception*" OR %"message" matches "*stack trace*" OR %"message" matches "*traceback*"
| where %"message" matches "*path*" OR %"message" matches "*version*" OR %"message" matches "*//*" OR %"message" matches "*config*" OR %"message" matches "*permission*"
| parse regex "(?i)(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop
| parse regex "(?i)(error|exception)[^:]*:\s*(?P<error_detail>[^\n]{10,200})" nodrop
| timeslice 5m
| count as event_count, values(src_ip) as source_ips, values(error_detail) as error_details by _timeslice, _sourceHost
| where event_count >= 3
| sort by event_count desc

rule wing_ftp_information_disclosure_cve_2025_47813 {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects Wing FTP Server information disclosure via verbose error messages (CVE-2025-47813)"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-47813"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1592"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.application_protocol = "FTP"
    (
      re.regex($e.principal.process.file.full_path, `(?i)wing.?ftp|wftpd`)
      or re.regex($e.target.application, `(?i)wing.?ftp|wftpd`)
      or re.regex($e.metadata.product_name, `(?i)wing.?ftp`)
    )
    (
      re.regex($e.about.labels["response_code"], `^(4|5)\d{2}$`)
      or re.regex($e.network.sent_bytes, `[5-9]\d{2,}`)
    )

    $e2.metadata.event_type = "STATUS_UPDATE"
    (
      re.regex($e2.about.labels["message"], `(?i)(error|exception|stack.?trace|traceback)`)
      and re.regex($e2.about.labels["message"], `(?i)(path|version|config|permission|internal)`)
    )
    $e2.principal.hostname = $e.principal.hostname

  match:
    $e.principal.hostname over 10m

  outcome:
    $risk_score = 70
    $cve = "CVE-2025-47813"
    $src_ips = array_distinct($e.principal.ip)

  condition:
    $e and $e2
}

// Wing FTP Server Information Disclosure Detection - CVE-2025-47813
#event_simpleName IN (NetworkConnectIP4, NetworkConnectIP6, ProcessRollup2, SyntheticProcessRollup2)
| FileName IN ("wftpd.exe", "wftpserver.exe", "wingftpserver.exe") OR
  ImageFileName CONTAINS "Wing FTP" OR
  CommandLine CONTAINS "wftpd" OR
  CommandLine CONTAINS "wingftp"
| eval is_ftp_process = if(FileName IN ("wftpd.exe", "wftpserver.exe", "wingftpserver.exe"), true, false)
| join type=inner [
    #event_simpleName=NetworkConnectIP4
    | RemotePort IN (21, 989, 990)
    | stats count() as connection_count, values(RemoteAddressIP4) as remote_ips by aid, LocalPort
  ] aid aid
| where is_ftp_process = true
| stats
    count() as event_count,
    values(FileName) as processes,
    values(CommandLine) as cmd_lines,
    values(remote_ips) as connecting_ips,
    sum(connection_count) as total_connections
  by aid, ComputerName, UserName
| where total_connections > 10
| eval severity = case(
    total_connections > 50, "critical",
    total_connections > 20, "high",
    true(), "medium"
  )
| sort -total_connections