CVE-2020-37032
published 2026-01-30CVE-2020-37032: Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.04%
59.7th percentile
Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution through the os.execute() function.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wftpserver | wing_ftp_server | — | — |
| wing_ftp_server | wing_ftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to the Wing FTP Server Lua-based web console that invoke os.execute() for system command execution ↗
- →Monitor Wing FTP Server web console activity for authenticated users invoking os.execute() calls, which indicates abuse of the Lua scripting interface for RCE ↗
- ·The vulnerability is specific to Wing FTP Server version 6.3.8; verify the deployed version before applying detection logic, as other versions may not expose the same Lua console attack surface. ↗
- ·Exploitation requires prior authentication; detections should correlate authenticated session activity with subsequent os.execute() invocations rather than treating all console POST requests as malicious. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2020-37079 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2020-37079 [HIGH] CVE-2020-37079 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2020-37079 :
Wing FTP Server vulnerability analysis and mitigation
Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administration interface that allows attackers to delete admin users. Attackers can craft a malicious HTML page with a hidden form to submit a request that deletes the administrative user account without proper authorization.
Source : NVD
## 5.1
Score
Published February 7, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
Wing FTP Server
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:wftpserver:wing_ftp_server
So
Wiz
CVE-2020-37032 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2020-37032 [HIGH] CVE-2020-37032 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2020-37032 :
Wing FTP Server vulnerability analysis and mitigation
Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution through the os.execute() function.
Source : NVD
## 8.6
Score
Published January 30, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Wing FTP Server
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 64.7
Exploitation Probability (EPSS) 0.5
Affected packages and libraries
cpe:2.3:a:wftpserver:wing_ftp_server
Sources
Windows Severit
Wiz
CVE-2022-50934 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2022-50934 [HIGH] CVE-2022-50934 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2022-50934 :
Wing FTP Server vulnerability analysis and mitigation
Rejected reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue.
Source : NVD
Published January 13, 2026
CNA Score N/A
Affected Technologies
Wing FTP Server
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:wftpserver:wing_ftp_server
Sources
NVD
Windows Severity HIGH Has Fix Added at: Jan 14, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Wing FTP Server vulnerabilit
Wiz
CVE-2024-58299 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2024-58299 [HIGH] CVE-2024-58299 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2024-58299 :
Wing FTP Server vulnerability analysis and mitigation
PCMan FTP Server 2.0 contains a buffer overflow vulnerability in the 'pwd' command that allows remote attackers to execute arbitrary code. Attackers can send a specially crafted payload during the FTP login process to overwrite memory and potentially gain system access.
Source : NVD
## 9.3
Score
Published December 12, 2025
Severity CRITICAL
CNA Score 9.3
Affected Technologies
Wing FTP Server
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 50.1
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
cpe:2.3:a:wftpserver:wing_ftp_server
Sources
NVD
Windows Severity CRITICAL Has Fix Added at: Mar
Wiz
CVE-2019-25267 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2019-25267 [HIGH] CVE-2019-25267 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2019-25267 :
Wing FTP Server vulnerability analysis and mitigation
Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions.
Source : NVD
## 8.5
Score
Published February 5, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
Wing FTP Server
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:wftpserver:wing_ftp_server
Sources
W
2026-01-30
Published