CVE-2022-50934
Unknown Unknown - Not Provided
Authenticated Remote Code Execution in Wing FTP Server Admin Panel

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: VulnCheck

Description
Wing FTP Server versions 4.3.8 and below contain an authenticated remote code execution vulnerability that allows attackers to execute arbitrary PowerShell commands through the admin interface. Attackers can leverage a crafted Lua script payload with base64-encoded PowerShell to establish a reverse TCP shell by authenticating and sending a malicious request to the admin panel.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-01-14
NVD
CVE-2022-50934
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wing_ftp_server wing_ftp_server to 4.3.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2022-50934 is an authenticated remote code execution vulnerability in Wing FTP Server versions 4.3.8 and earlier. An attacker with valid credentials can send a crafted Lua script payload containing base64-encoded PowerShell commands through the server's admin interface. This allows the attacker to execute arbitrary PowerShell commands remotely, establishing a reverse TCP shell and gaining control over the server. [1, 3]

Impact Analysis

This vulnerability can lead to a full system compromise of the affected Wing FTP Server. An attacker who authenticates can execute arbitrary code remotely, potentially taking complete control of the server, accessing sensitive data, disrupting services, or using the server as a foothold for further attacks within the network. [1, 3]

Detection Guidance

Detection involves verifying if the Wing FTP Server version 4.3.8 or below is running and monitoring for suspicious authenticated POST requests to the admin interface endpoints such as `/admin_loginok.html` and `/admin_lua_script.html`. One can check server logs for POST requests containing Lua script commands with base64-encoded PowerShell payloads. A practical approach is to look for unusual POST requests with payloads invoking PowerShell commands via Lua scripts. For example, monitoring or searching logs for POST requests to `/admin_lua_script.html` containing 'powershell -Encodedcommand' can indicate exploitation attempts. Additionally, network monitoring tools can be used to detect reverse TCP shell connections originating from the server. Specific commands depend on the environment, but for Linux servers, commands like `grep -i 'powershell -Encodedcommand' /path/to/wingftp/logs/*` or inspecting web server access logs for suspicious POST requests can be useful. [1, 3]

Mitigation Strategies

Immediate mitigation steps include: 1) Restrict access to the Wing FTP Server admin interface to trusted IP addresses only, minimizing exposure. 2) Ensure strong authentication credentials are used to prevent unauthorized access. 3) Monitor and audit admin interface access logs for suspicious activity. 4) If possible, disable or restrict the execution of Lua scripts or PowerShell commands via the admin interface. 5) Apply any available patches or upgrade Wing FTP Server to a version later than 4.3.8 that addresses this vulnerability. 6) As a temporary measure, consider isolating the server from untrusted networks to prevent exploitation. These steps reduce the risk of an attacker authenticating and executing arbitrary code remotely. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50934. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart