CVE-2020-37032 – CVE-2020-37032 is a remote code execution vulne... (How to Fix)

Q: What is the severity of CVE-2020-37032?

CVE-2020-37032 has a CVSS score of 8.8 (HIGH). CVE-2020-37032 is a remote code execution vulnerability in Wing FTP Server's Lua-based web console that allows authenticated attackers to execute arbitrary system commands via the os.execute() function. This affects organizations running vulnerable versions of Wing FTP Server with web console access enabled. Attackers can gain full control of the server if they obtain valid credentials.

📋 TL;DR

CVE-2020-37032 is a remote code execution vulnerability in Wing FTP Server's Lua-based web console that allows authenticated attackers to execute arbitrary system commands via the os.execute() function. This affects organizations running vulnerable versions of Wing FTP Server with web console access enabled. Attackers can gain full control of the server if they obtain valid credentials.

💻 Affected Systems

Products:

Wing FTP Server

Versions: 6.3.8 and likely earlier versions

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires web console access enabled and attacker authentication. The vulnerability exists in the Lua scripting engine used by the web console.

📦 What is this software?

Wing Ftp Server by Wftpserver

View all CVEs affecting Wing Ftp Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the FTP server host with attacker gaining SYSTEM/root privileges, enabling data theft, lateral movement, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Authenticated attackers with web console access execute commands to steal sensitive files, install malware, or pivot to other systems on the network.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and command execution restrictions are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires valid credentials but uses simple POST requests with command injection. Public exploit code is available on Exploit-DB.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.0 and later

Vendor Advisory: https://www.wftpserver.com/

Restart Required: Yes

Instructions:

1. Download latest version from vendor website. 2. Backup configuration and data. 3. Run installer to upgrade. 4. Restart Wing FTP Server service. 5. Verify web console functionality.

🔧 Temporary Workarounds

Disable Web Console

all

Completely disable the vulnerable Lua-based web console interface

Edit server configuration to disable web console or remove web console access permissions

Restrict Web Console Access

all

Limit web console access to specific IP addresses or disable for non-admin users

Configure firewall rules to block web console port (5466 by default) from untrusted networks

🧯 If You Can't Patch

Implement strict network segmentation to isolate FTP server from critical systems
Enforce strong authentication policies and monitor for suspicious web console login attempts

🔍 How to Verify

Check if Vulnerable:

Check Wing FTP Server version in admin interface or configuration files. Version 6.3.8 or earlier with web console enabled is vulnerable.

Check Version:

Check server admin interface or configuration file for version number

Verify Fix Applied:

Verify version is 6.4.0 or later and test web console functionality to ensure commands cannot be executed via POST requests.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to web console with command-like parameters
Multiple failed authentication attempts followed by successful login
System command execution events in server logs

Network Indicators:

POST requests to /console endpoint with os.execute or system command parameters
Unusual outbound connections from FTP server

SIEM Query:

source="wingftp.log" AND (POST AND console AND (os.execute OR cmd.exe OR /bin/bash))

📊 Metadata

CVE ID: CVE-2020-37032

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: January 30, 2026

Last Updated: February 18, 2026

🔗 References

https://www.exploit-db.com/exploits/48676 Exploit,Third Party Advisory,VDB Entry
https://www.vulncheck.com/advisories/wing-ftp-server-remote-code-execution Broken Link
https://www.wftpserver.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-37032, you might also want to check these: