CVE-2020-37032

HighPublic PoC

Published: 30 January 2026

Published

30 January 2026

Modified

18 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0055 68.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution…

through the os.execute() function.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of POST request inputs to the Lua web console, directly preventing OS command injection via malicious payloads invoking os.execute().

CM-7 Least Functionality good match

prevent

Restricts or disables the non-essential Lua-based web console functionality, eliminating the primary attack vector for authenticated remote code execution.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to limit web console access to only necessary high-privileged users, mitigating exploitation by low-privileged authenticated attackers.

Security SummaryAI

CVE-2020-37032 is a remote code execution vulnerability in Wing FTP Server version 6.3.8, specifically within its Lua-based web console. The issue, classified under CWE-78 (OS Command Injection), allows authenticated users to execute arbitrary system commands by sending POST requests with malicious payloads that invoke the os.execute() function, enabling operating system-level code execution.

The vulnerability can be exploited remotely by low-privileged authenticated users (PR:L) with low attack complexity (AC:L) and no user interaction required (UI:N), as indicated by its CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation provides attackers with high-impact control over confidentiality, integrity, and availability, potentially leading to full server compromise.

Advisories, including those from VulnCheck at https://www.vulncheck.com/advisories/wing-ftp-server-remote-code-execution, document the remote code execution flaw. A public exploit is available at https://www.exploit-db.com/exploits/48676, and the vendor's site is https://www.wftpserver.com/.

Details

CWE(s): CWE-78

Affected Products

wftpserver

wing ftp server

6.3.8

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.003 Windows Command Shell Execution

Adversaries may abuse the Windows command shell for execution.

attack.mitre.org →

Why these techniques?

CVE-2020-37032 enables remote exploitation of a public-facing FTP server's web console (T1190) through OS command injection, allowing arbitrary command execution on Windows via Lua's os.execute() (T1059.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/48676
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/wing-ftp-server-remote-code-execution
Broken Link · disclosure@vulncheck.com
https://www.wftpserver.com/
Product · disclosure@vulncheck.com