cbcvebase.
CVE-2026-44403
published 2026-05-12

CVE-2026-44403: Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated…

PriorityP356high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
2.64%
83.7th percentile
Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().

Affected

2 ranges
VendorProductVersion rangeFixed in
wftpserverwing_ftp_server< 8.1.38.1.3
wing_ftp_serverwing_ftp_server

Detection & IOCsextracted from sources · hover to see the quote

url/service_add_admin.html
url/service_modify_admin.html
url/service_login.html
url/service_get_dir_list.html
otherpoisoned mydirectory field pattern: /tmp/x]]<lua_payload>--
othersession serialization pattern: _SESSION['admin_basefolder']=[[/tmp/x]]--]]
  • Monitor POST requests to /service_add_admin.html and /service_modify_admin.html where the 'mydirectory' (admin_basefolder) field contains the Lua long-string closing delimiter ']]' — this is the injection breakout sequence used to escape the serialized session string.
  • Alert on multipart/form-data POST bodies to Wing FTP admin endpoints where the JSON 'mydirectory' value contains ']]' followed by non-path characters, indicating a session-poisoning attempt.
  • The exploit hardcodes a poisoned domain admin account named 'svc_backup' with password 'P@ssw0rd123!' — alert on creation of admin accounts with these credentials in Wing FTP Server logs.
  • The vulnerability is triggered via the 'mydirectory' field (mapped to admin_basefolder in session) of a domain admin object. Inspect Wing FTP admin audit logs for domain admin creation/modification events where this field contains special characters ']]' or '--'.
  • ·Exploitation requires prior authentication as an administrator — this is an authenticated RCE, not unauthenticated. Detections should be scoped to authenticated admin sessions to reduce false positives, but note that domain admin privileges (not just super-admin) are sufficient.
  • ·The payload executes on the NEXT session load after login (not immediately on admin creation), meaning there is a two-request trigger window. Detection systems that only inspect the initial POST to service_add_admin.html may miss the execution phase.
  • ·service_modify_admin.html performs NO bracket stripping, making it a more reliable injection vector than service_add_admin.html. Defenses or WAF rules must cover both endpoints equally.
  • ·The Lua payload executes with the privileges of the Wing FTP Server process. On Windows, this may be SYSTEM; on Linux, it runs as the service user. Scope post-exploitation monitoring accordingly.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.