HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Authenticated Remote Code Execution in Wing FTP Server 8.1.3 (CVE‑2026‑44403)

A newly disclosed vulnerability (CVE‑2026‑44403) lets an authenticated administrator inject Lua code into Wing FTP Server ≤ 8.1.2, achieving remote code execution and persistent payload execution. Organizations using the product must patch immediately and rotate privileged credentials to mitigate third‑party risk.

LiveThreat™ Intelligence · 📅 May 30, 2026· 📰 exploit-db.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
exploit-db.com

Authenticated Remote Code Execution in Wing FTP Server 8.1.3 (CVE‑2026‑44403)

What Happened — A newly disclosed vulnerability (CVE‑2026‑44403) allows an authenticated administrator of Wing FTP Server ≤ 8.1.2 to inject arbitrary Lua code via the mydirectory field. The malicious payload is deserialized and executed on the server using loadfile(), granting full code execution under the service account and persisting across sessions.

Why It Matters for TPRM

  • The flaw can be weaponised by threat actors who obtain or guess privileged credentials, turning a trusted file‑transfer service into a foothold inside the supply chain.
  • Persistent RCE enables lateral movement, data exfiltration, or ransomware deployment against downstream customers.
  • Many organisations embed Wing FTP Server in internal SaaS, cloud‑hosted, or on‑premise environments, making it a high‑risk third‑party component.

Who Is Affected — Enterprises that deploy Wing FTP Server for internal or external file transfer, spanning sectors such as technology, finance, healthcare, and manufacturing.

Recommended Actions

  • Verify the version of Wing FTP Server in use; upgrade immediately to 8.1.3 or later.
  • Rotate all administrator credentials and enforce MFA where possible.
  • Review session‑handling logs for anomalous mydirectory values or unexpected Lua execution.
  • If the vulnerable version cannot be patched, isolate the service behind strict network segmentation and monitor for suspicious outbound connections.

Technical Notes

  • Attack Vector: Authenticated admin credentials → session serialization poisoning → Lua code execution via loadfile().
  • CVE: CVE‑2026‑44403 (RCE).
  • Data Types at Risk: System files, configuration data, and any files accessible to the FTP service account.
  • Persistence: The malicious session is re‑executed each time it is loaded, providing a long‑term foothold.

Source: Exploit‑DB 52589

📰 Original Source
https://www.exploit-db.com/exploits/52589

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →