CVEFinder.io

CVE-2020-37032

⚠ī¸ high
🔍 Scan for this CVE
Summary

Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution through the os.execute() function.

CVSS Score
8.8
High
EPSS Score
0.4
Exploit Probability
Published Date
2026-01-30
First Seen: 2026-01-31
📊 Relative Risk Intelligence

This CVE is High Risk - more severe than 81.1% of all 326,604 vulnerabilities in our database.

#61,754
Top 25% most severe
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: Feb 3, 2026
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙ī¸ Automatable
NO
Requires human interaction
đŸ’Ĩ Technical Impact
Total
Complete system compromise possible
🏆 Discovered By
v1n1v131r4
SSVC data provided by CISA
Last Modified 2026-02-18
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-78

đŸ“Ļ Affected Products 1

Vendor Product Status Affected Versions
wftpserver wing_ftp_server Affected
v6.3.8

🔗 References 3

https://www.exploit-db.com/exploits/48676
Exploit Third Party Advisory VDB Entry
https://www.vulncheck.com/advisories/wing-ftp-server...
Broken Link
https://www.wftpserver.com/
Product

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-44403 ⚠ī¸ high 7.2 0.1 Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization ... 2026-05-12
CVE-2020-37079 đŸ”ļ medium 4.3 0.0 Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administrat... 2026-02-07
CVE-2019-25267 ⚠ī¸ high 7.8 0.0 Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potentially execute... 2026-02-05
CVE-2025-27889 ℹī¸ low 3.4 0.0 Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint... 2025-07-10
CVE-2025-47811 đŸ”ļ medium 4.1 0.1 In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or S... 2025-07-10
CVE-2025-47812 ⛔ critical 10.0 92.5 In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection o... 2025-07-10
These CVEs affect the same products