CVE-2020-37032

HIGH EPSS 59.7%
Published Jan 30, 20265mo ago · Modified Jun 17, 20261w ago
8.6 CVSS 4.0
High
Find Similar
Published Jan 30, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution through the os.execute() function.

CVSS Details

Base Score
8.6
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
59.7% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-78 OS Command Injection Injection

Affected Products 1

VendorProductVersionRange
wftpserverwing_ftp_server6.3.8any

References 3

  • exploit-db.com https://www.exploit-db.com/exploits/48676
    ExploitThird Party AdvisoryVDB Entry
  • vulncheck.com https://www.vulncheck.com/advisories/wing-ftp-server-remote-code-execution
    Broken Link
  • wftpserver.com https://www.wftpserver.com/
    Product

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.