CVE-2025-47813 Sumo Logic CSE · Sumo

Detect Wing FTP Server Information Disclosure via Error Messages (CVE-2025-47813) in Sumo Logic CSE

Detects potential exploitation of CVE-2025-47813, an information disclosure vulnerability in Wing FTP Server (CWE-209) where detailed error messages expose sensitive server-side information. This vulnerability is actively exploited in the wild (CISA KEV). Attackers may probe the FTP server with malformed or unexpected requests to trigger verbose error responses revealing internal paths, software versions, configuration details, or stack traces.

MITRE ATT&CK

Tactic
Discovery Reconnaissance

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=ftp OR _sourceCategory=wing_ftp OR _sourceName=*wftpserver* OR _sourceName=*wingftp*
| where %"message" matches "*error*" OR %"message" matches "*exception*" OR %"message" matches "*stack trace*" OR %"message" matches "*traceback*"
| where %"message" matches "*path*" OR %"message" matches "*version*" OR %"message" matches "*//*" OR %"message" matches "*config*" OR %"message" matches "*permission*"
| parse regex "(?i)(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop
| parse regex "(?i)(error|exception)[^:]*:\s*(?P<error_detail>[^\n]{10,200})" nodrop
| timeslice 5m
| count as event_count, values(src_ip) as source_ips, values(error_detail) as error_details by _timeslice, _sourceHost
| where event_count >= 3
| sort by event_count desc
high severity medium confidence

Sumo Logic query detecting Wing FTP Server information disclosure by identifying error messages containing sensitive details such as internal paths, version information, and configuration data from FTP server log sources.

Data Sources

Wing FTP Server logsFTP access logsSystem logs

Required Tables

_sourceCategory=ftp_sourceCategory=wing_ftp

False Positives & Tuning

  • Legitimate FTP client errors generating verbose server responses during normal usage
  • Internal development or testing environments with verbose logging enabled
  • Authorized security assessments triggering error response patterns
  • High-traffic FTP environments where error rates are naturally elevated

Other platforms for CVE-2025-47813

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Trigger Wing FTP Server Verbose Error via Invalid Command

    Expected signal: Wing FTP Server access logs show connection from test host with invalid command responses. Network capture shows FTP control channel responses with error codes 500/502 and potentially verbose message bodies.

  2. Test 2Enumerate Wing FTP Server Version via Banner Grabbing and Error Probing

    Expected signal: Network logs show sequential FTP connections from test host. Wing FTP Server logs record failed auth attempts and invalid CWD commands with server-generated error responses.

  3. Test 3Simulate Automated Scanner Probing Wing FTP Server Error Responses

    Expected signal: Wing FTP Server logs show burst of varied FTP commands from single source IP including SYST, STAT, FEAT commands that reveal version/feature information, plus error responses to invalid path and command inputs.

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-47813 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0007DiscoveryTA0043Reconnaissance

Related Techniques

T1592Gather Victim Host InformationT1590Gather Victim Network InformationT1210Exploitation of Remote Services

Same Tactic: Discovery

Popular Detections