CVE-2020-37032

HIGH

Wing FTP Server 6.3.8 - Authenticated Remote Code Execution via Lua Web Console os.execute()

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37032. PoCs published by V1n1v131r4.

AI-analyzed exploit summary This exploit leverages an authenticated remote code execution vulnerability in Wing FTP Server's Lua-based web console. It sends a POST request with a command to download and execute a reverse shell payload using certutil.exe.

Description

Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution through the os.execute() function.

Exploits (1)

exploitdb WORKING POC
by V1n1v131r4 · textwebappslua
https://www.exploit-db.com/exploits/48676

This exploit leverages an authenticated remote code execution vulnerability in Wing FTP Server's Lua-based web console. It sends a POST request with a command to download and execute a reverse shell payload using certutil.exe.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Wing FTP Server 6.3.8
Auth required
Prerequisites: Authenticated access to the Wing FTP Server web console · Network access to the target server · A hosted payload (e.g., shell.exe) on an attacker-controlled server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/48676
Various Sources product
https://www.wftpserver.com/

Scores

CVSS v3 8.8
EPSS 0.0104
EPSS Percentile 59.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-78
Status published
Products (1)
wftpserver/wing_ftp_server 6.3.8
Published Jan 30, 2026
Tracked Since Feb 18, 2026