Home

Description

Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution through the os.execute() function.

PUBLISHED Reserved 2026-01-28 | Published 2026-01-30 | Updated 2026-02-03 | Assigner VulnCheck




HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

6.3.8
affected

Credits

v1n1v131r4 finder

References

www.exploit-db.com/exploits/48676 (ExploitDB-48676) exploit

www.wftpserver.com/ (Wing FTP Server Official Homepage) product

www.vulncheck.com/...s/wing-ftp-server-remote-code-execution (VulnCheck Advisory: Wing FTP Server 6.3.8 - Remote Code Execution) third-party-advisory

cve.org (CVE-2020-37032)

nvd.nist.gov (CVE-2020-37032)

Download JSON