Detect Wing FTP Server Information Disclosure via Error Messages (CVE-2025-47813) in Google Chronicle
Detects potential exploitation of CVE-2025-47813, an information disclosure vulnerability in Wing FTP Server (CWE-209) where detailed error messages expose sensitive server-side information. This vulnerability is actively exploited in the wild (CISA KEV). Attackers may probe the FTP server with malformed or unexpected requests to trigger verbose error responses revealing internal paths, software versions, configuration details, or stack traces.
MITRE ATT&CK
- Tactic
- Discovery Reconnaissance
YARA-L Detection Query
rule wing_ftp_information_disclosure_cve_2025_47813 {
meta:
author = "df00tech Detection Engineering"
description = "Detects Wing FTP Server information disclosure via verbose error messages (CVE-2025-47813)"
severity = "HIGH"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-47813"
mitre_attack_tactic = "Discovery"
mitre_attack_technique = "T1592"
events:
$e.metadata.event_type = "NETWORK_CONNECTION"
$e.network.application_protocol = "FTP"
(
re.regex($e.principal.process.file.full_path, `(?i)wing.?ftp|wftpd`)
or re.regex($e.target.application, `(?i)wing.?ftp|wftpd`)
or re.regex($e.metadata.product_name, `(?i)wing.?ftp`)
)
(
re.regex($e.about.labels["response_code"], `^(4|5)\d{2}$`)
or re.regex($e.network.sent_bytes, `[5-9]\d{2,}`)
)
$e2.metadata.event_type = "STATUS_UPDATE"
(
re.regex($e2.about.labels["message"], `(?i)(error|exception|stack.?trace|traceback)`)
and re.regex($e2.about.labels["message"], `(?i)(path|version|config|permission|internal)`)
)
$e2.principal.hostname = $e.principal.hostname
match:
$e.principal.hostname over 10m
outcome:
$risk_score = 70
$cve = "CVE-2025-47813"
$src_ips = array_distinct($e.principal.ip)
condition:
$e and $e2
}Chronicle YARA-L 2.0 rule correlating Wing FTP Server network connections showing error responses with subsequent log entries containing sensitive information disclosure patterns.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate FTP client misconfigurations causing repeated error sequences
- Authorized security scans targeting the FTP server producing error correlations
- FTP server upgrades or restarts causing transient error bursts followed by log entries
- Network appliances performing health checks against FTP ports generating correlated events
Other platforms for CVE-2025-47813
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Trigger Wing FTP Server Verbose Error via Invalid Command
Expected signal: Wing FTP Server access logs show connection from test host with invalid command responses. Network capture shows FTP control channel responses with error codes 500/502 and potentially verbose message bodies.
- Test 2Enumerate Wing FTP Server Version via Banner Grabbing and Error Probing
Expected signal: Network logs show sequential FTP connections from test host. Wing FTP Server logs record failed auth attempts and invalid CWD commands with server-generated error responses.
- Test 3Simulate Automated Scanner Probing Wing FTP Server Error Responses
Expected signal: Wing FTP Server logs show burst of varied FTP commands from single source IP including SYST, STAT, FEAT commands that reveal version/feature information, plus error responses to invalid path and command inputs.
Unlock Pro Content
Get the full detection package for CVE-2025-47813 including response playbook, investigation guide, and atomic red team tests.