cbcvebase.
CVE-2020-37032
published 2026-01-30

CVE-2020-37032: Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.04%
59.7th percentile
Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution through the os.execute() function.

Affected

2 ranges
VendorProductVersion rangeFixed in
wftpserverwing_ftp_server
wing_ftp_serverwing_ftp_server

Detection & IOCsextracted from sources · hover to see the quote

  • Detect POST requests to the Wing FTP Server Lua-based web console that invoke os.execute() for system command execution
  • Monitor Wing FTP Server web console activity for authenticated users invoking os.execute() calls, which indicates abuse of the Lua scripting interface for RCE
  • ·The vulnerability is specific to Wing FTP Server version 6.3.8; verify the deployed version before applying detection logic, as other versions may not expose the same Lua console attack surface.
  • ·Exploitation requires prior authentication; detections should correlate authenticated session activity with subsequent os.execute() invocations rather than treating all console POST requests as malicious.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.