CVE-2026-44403

HIGH

Wing FTP Server 8.1.2 Authenticated Remote Code Execution via Session Serialization

Title source: cna

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-44403. PoCs published by Ünsal Furkan Harani, ZemarKhos.

AI-analyzed exploit summary This exploit demonstrates an authenticated RCE vulnerability in Wing FTP Server 8.1.2 by injecting arbitrary Lua code through a poisoned domain admin's 'mydirectory' field, which executes when the session is loaded via `loadfile()`.

Description

Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().

Exploits (2)

exploitdb WORKING POC

by Ünsal Furkan Harani · textremotemultiple

https://www.exploit-db.com/exploits/52589

View Code ZIP pw:eip

This exploit demonstrates an authenticated RCE vulnerability in Wing FTP Server 8.1.2 by injecting arbitrary Lua code through a poisoned domain admin's 'mydirectory' field, which executes when the session is loaded via `loadfile()`.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Wing FTP Server v8.1.2

Auth required

Prerequisites: Valid full admin credentials · Access to Wing FTP Server web admin panel (default port 5466)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 30, 2026 Full analysis →

nomisec WORKING POC

by ZemarKhos · poc

https://github.com/ZemarKhos/CVE-2026-44403-WingFTP-v8.1.2-POC-Exploit

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-44403, targeting Wing FTP Server v8.1.2. The exploit leverages a session serialization vulnerability in Lua's long-string notation to achieve remote code execution by injecting malicious payloads into the admin's basefolder field.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Wing FTP Server v8.1.2

Auth required

Prerequisites: Valid full admin credentials · Access to the Wing FTP Server admin panel

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 14, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

https://www.vulncheck.com/advisories/wing-ftp-server-authenticated-remote-code-execution-via-session-serialization

Release Notes release-notes

https://www.wftpserver.com/serverhistory.htm

Scores

CVSS v3 7.2

EPSS 0.0062

EPSS Percentile 70.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (3)

wftpserver/wing_ftp_server < 8.1.3

Wing FTP Server/Wing FTP Server 8.1.2

Wing FTP Server/Wing FTP Server 8.1.3

Published May 12, 2026

Tracked Since May 13, 2026