CVE-2020-37032

HIGH

Wing FTP Server 6.3.8 - RCE

Title source: llm

Description

Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution through the os.execute() function.

Exploits (1)

exploitdb WORKING POC

by V1n1v131r4 · textwebappslua

https://www.exploit-db.com/exploits/48676

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/48676

[Various Sources] https://www.wftpserver.com/

[Third Party Advisory] https://www.vulncheck.com/advisories/wing-ftp-server-remote-code-execution

Scores

CVSS v3 8.8

EPSS 0.0055

EPSS Percentile 68.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

wftpserver/wing_ftp_server 6.3.8

Published Jan 30, 2026

Tracked Since Feb 18, 2026