CVE-2022-50934
Authenticated Remote Code Execution in Wing FTP Server Admin Panel
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wing_ftp_server | wing_ftp_server | to 4.3.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2022-50934 is an authenticated remote code execution vulnerability in Wing FTP Server versions 4.3.8 and earlier. An attacker with valid credentials can send a crafted Lua script payload containing base64-encoded PowerShell commands through the server's admin interface. This allows the attacker to execute arbitrary PowerShell commands remotely, establishing a reverse TCP shell and gaining control over the server. [1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to a full system compromise of the affected Wing FTP Server. An attacker who authenticates can execute arbitrary code remotely, potentially taking complete control of the server, accessing sensitive data, disrupting services, or using the server as a foothold for further attacks within the network. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves verifying if the Wing FTP Server version 4.3.8 or below is running and monitoring for suspicious authenticated POST requests to the admin interface endpoints such as `/admin_loginok.html` and `/admin_lua_script.html`. One can check server logs for POST requests containing Lua script commands with base64-encoded PowerShell payloads. A practical approach is to look for unusual POST requests with payloads invoking PowerShell commands via Lua scripts. For example, monitoring or searching logs for POST requests to `/admin_lua_script.html` containing 'powershell -Encodedcommand' can indicate exploitation attempts. Additionally, network monitoring tools can be used to detect reverse TCP shell connections originating from the server. Specific commands depend on the environment, but for Linux servers, commands like `grep -i 'powershell -Encodedcommand' /path/to/wingftp/logs/*` or inspecting web server access logs for suspicious POST requests can be useful. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restrict access to the Wing FTP Server admin interface to trusted IP addresses only, minimizing exposure. 2) Ensure strong authentication credentials are used to prevent unauthorized access. 3) Monitor and audit admin interface access logs for suspicious activity. 4) If possible, disable or restrict the execution of Lua scripts or PowerShell commands via the admin interface. 5) Apply any available patches or upgrade Wing FTP Server to a version later than 4.3.8 that addresses this vulnerability. 6) As a temporary measure, consider isolating the server from untrusted networks to prevent exploitation. These steps reduce the risk of an attacker authenticating and executing arbitrary code remotely. [1, 3]