CVE-2026-44403
published 2026-05-12CVE-2026-44403: Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated…
PriorityP356high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
2.64%
83.7th percentile
Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wftpserver | wing_ftp_server | < 8.1.3 | 8.1.3 |
| wing_ftp_server | wing_ftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /service_add_admin.html and /service_modify_admin.html where the 'mydirectory' (admin_basefolder) field contains the Lua long-string closing delimiter ']]' — this is the injection breakout sequence used to escape the serialized session string. ↗
- →Alert on multipart/form-data POST bodies to Wing FTP admin endpoints where the JSON 'mydirectory' value contains ']]' followed by non-path characters, indicating a session-poisoning attempt. ↗
- →The exploit hardcodes a poisoned domain admin account named 'svc_backup' with password 'P@ssw0rd123!' — alert on creation of admin accounts with these credentials in Wing FTP Server logs. ↗
- →The vulnerability is triggered via the 'mydirectory' field (mapped to admin_basefolder in session) of a domain admin object. Inspect Wing FTP admin audit logs for domain admin creation/modification events where this field contains special characters ']]' or '--'. ↗
- ·Exploitation requires prior authentication as an administrator — this is an authenticated RCE, not unauthenticated. Detections should be scoped to authenticated admin sessions to reduce false positives, but note that domain admin privileges (not just super-admin) are sufficient. ↗
- ·The payload executes on the NEXT session load after login (not immediately on admin creation), meaning there is a two-request trigger window. Detection systems that only inspect the initial POST to service_add_admin.html may miss the execution phase. ↗
- ·service_modify_admin.html performs NO bracket stripping, making it a more reliable injection vector than service_add_admin.html. Defenses or WAF rules must cover both endpoints equally. ↗
- ·The Lua payload executes with the privileges of the Wing FTP Server process. On Windows, this may be SYSTEM; on Linux, it runs as the service user. Scope post-exploitation monitoring accordingly. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Wing FTP Server up to 8.1.2 loadfile code injection
vuldb·2026-05-12
CVE-2026-44403 [CRITICAL] Wing FTP Server up to 8.1.2 loadfile code injection
A vulnerability labeled as critical has been found in Wing FTP Server up to 8.1.2. The affected element is the function loadfile. Such manipulation leads to code injection.
This vulnerability is referenced as CVE-2026-44403. It is possible to launch the attack remotely. No exploit is available.
The affected component should be upgraded.
GHSA
GHSA-ffh5-r5xj-cgmg: Wing FTP Server 8
ghsa_unreviewed·2026-05-12
CVE-2026-44403 [HIGH] CWE-94 GHSA-ffh5-r5xj-cgmg: Wing FTP Server 8
Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().
No detection rules found.
No writeups or analysis indexed.
2026-05-12
Published