Authenticated Remote Code Execution in Wing FTP Server 8.1.3 (CVE‑2026‑44403)
What Happened — A newly disclosed vulnerability (CVE‑2026‑44403) allows an authenticated administrator of Wing FTP Server ≤ 8.1.2 to inject arbitrary Lua code via the mydirectory field. The malicious payload is deserialized and executed on the server using loadfile(), granting full code execution under the service account and persisting across sessions.
Why It Matters for TPRM —
- The flaw can be weaponised by threat actors who obtain or guess privileged credentials, turning a trusted file‑transfer service into a foothold inside the supply chain.
- Persistent RCE enables lateral movement, data exfiltration, or ransomware deployment against downstream customers.
- Many organisations embed Wing FTP Server in internal SaaS, cloud‑hosted, or on‑premise environments, making it a high‑risk third‑party component.
Who Is Affected — Enterprises that deploy Wing FTP Server for internal or external file transfer, spanning sectors such as technology, finance, healthcare, and manufacturing.
Recommended Actions —
- Verify the version of Wing FTP Server in use; upgrade immediately to 8.1.3 or later.
- Rotate all administrator credentials and enforce MFA where possible.
- Review session‑handling logs for anomalous
mydirectoryvalues or unexpected Lua execution. - If the vulnerable version cannot be patched, isolate the service behind strict network segmentation and monitor for suspicious outbound connections.
Technical Notes —
- Attack Vector: Authenticated admin credentials → session serialization poisoning → Lua code execution via
loadfile(). - CVE: CVE‑2026‑44403 (RCE).
- Data Types at Risk: System files, configuration data, and any files accessible to the FTP service account.
- Persistence: The malicious session is re‑executed each time it is loaded, providing a long‑term foothold.
Source: Exploit‑DB 52589