CVE-2024-58299
published 2025-12-12CVE-2024-58299: PCMan FTP Server 2.0 contains a buffer overflow vulnerability in the 'pwd' command that allows remote attackers to execute arbitrary code. Attackers can send a…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.71%
48.9th percentile
PCMan FTP Server 2.0 contains a buffer overflow vulnerability in the 'pwd' command that allows remote attackers to execute arbitrary code. Attackers can send a specially crafted payload during the FTP login process to overwrite memory and potentially gain system access.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pcman | ftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via the FTP 'pwd' command; monitor for oversized or malformed PWD command payloads sent over FTP sessions, which may indicate a buffer overflow exploitation attempt. ↗
- →The exploit payload is delivered during the FTP login process; inspect FTP authentication sequences for abnormally large data that could overwrite memory. ↗
- ·The NVD/Wiz source attributes this CVE to 'PCMan FTP Server 2.0' in the description, but the Wiz vulnerability database categorises it under 'Wing FTP Server' (cpe:2.3:a:wftpserver:wing_ftp_server). Verify the correct affected product before applying detections. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2020-37079 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2020-37079 [HIGH] CVE-2020-37079 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2020-37079 :
Wing FTP Server vulnerability analysis and mitigation
Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administration interface that allows attackers to delete admin users. Attackers can craft a malicious HTML page with a hidden form to submit a request that deletes the administrative user account without proper authorization.
Source : NVD
## 5.1
Score
Published February 7, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
Wing FTP Server
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:wftpserver:wing_ftp_server
So
Wiz
CVE-2020-37032 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2020-37032 [HIGH] CVE-2020-37032 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2020-37032 :
Wing FTP Server vulnerability analysis and mitigation
Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution through the os.execute() function.
Source : NVD
## 8.6
Score
Published January 30, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Wing FTP Server
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 64.7
Exploitation Probability (EPSS) 0.5
Affected packages and libraries
cpe:2.3:a:wftpserver:wing_ftp_server
Sources
Windows Severit
Wiz
CVE-2022-50934 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2022-50934 [HIGH] CVE-2022-50934 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2022-50934 :
Wing FTP Server vulnerability analysis and mitigation
Rejected reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue.
Source : NVD
Published January 13, 2026
CNA Score N/A
Affected Technologies
Wing FTP Server
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:wftpserver:wing_ftp_server
Sources
NVD
Windows Severity HIGH Has Fix Added at: Jan 14, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Wing FTP Server vulnerabilit
Wiz
CVE-2024-58299 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2024-58299 [HIGH] CVE-2024-58299 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2024-58299 :
Wing FTP Server vulnerability analysis and mitigation
PCMan FTP Server 2.0 contains a buffer overflow vulnerability in the 'pwd' command that allows remote attackers to execute arbitrary code. Attackers can send a specially crafted payload during the FTP login process to overwrite memory and potentially gain system access.
Source : NVD
## 9.3
Score
Published December 12, 2025
Severity CRITICAL
CNA Score 9.3
Affected Technologies
Wing FTP Server
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 50.1
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
cpe:2.3:a:wftpserver:wing_ftp_server
Sources
NVD
Windows Severity CRITICAL Has Fix Added at: Mar
Wiz
CVE-2019-25267 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2019-25267 [HIGH] CVE-2019-25267 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2019-25267 :
Wing FTP Server vulnerability analysis and mitigation
Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions.
Source : NVD
## 8.5
Score
Published February 5, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
Wing FTP Server
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:wftpserver:wing_ftp_server
Sources
W
2025-12-12
Published