CVE-2020-37079: Wing FTP Server CSRF Vulnerability

CVE-2020-37079 Overview

CVE-2020-37079 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Wing FTP Server versions prior to 6.2.7. The vulnerability exists in the web administration interface and allows attackers to delete admin users by crafting a malicious HTML page with a hidden form that submits unauthorized requests to the server.

Critical Impact

Attackers can delete administrative user accounts without proper authorization, potentially locking legitimate administrators out of the system and enabling further compromise of the FTP server infrastructure.

Affected Products

• Wing FTP Server versions prior to 6.2.7

Discovery Timeline

• 2026-02-07 - CVE CVE-2020-37079 published to NVD
• 2026-02-09 - Last updated in NVD database

Technical Details for CVE-2020-37079

Vulnerability Analysis

This Cross-Site Request Forgery (CSRF) vulnerability (CWE-352) affects the web administration interface of Wing FTP Server. The core issue stems from the lack of proper CSRF token validation when processing administrative actions. When an authenticated administrator visits a malicious webpage while logged into the Wing FTP Server admin interface, the attacker-controlled page can silently submit requests that perform administrative operations, specifically deleting admin user accounts.

The attack requires user interaction—the victim administrator must be logged into the Wing FTP Server web interface and navigate to a malicious page crafted by the attacker. Once these conditions are met, the hidden form on the attacker's page automatically submits a request to the admin panel, which the server processes as a legitimate request from the authenticated session.

Root Cause

The root cause of this vulnerability is the absence of anti-CSRF protections in the Wing FTP Server web administration interface. The server fails to implement proper request validation mechanisms such as CSRF tokens, origin header verification, or same-site cookie attributes. This allows cross-origin requests from attacker-controlled pages to be processed as if they were legitimate actions from the authenticated administrator.

Attack Vector

The attack vector is network-based and requires the following conditions:

1. The target administrator must be authenticated to the Wing FTP Server web admin interface
2. The administrator must visit an attacker-controlled webpage (via phishing, malicious ad, or compromised website)
3. The malicious page contains a hidden HTML form that auto-submits to the Wing FTP Server admin endpoint
4. The request targets the user deletion functionality, removing administrative accounts

The attack leverages the browser's automatic inclusion of session cookies with cross-origin requests, allowing the attacker's malicious form submission to inherit the administrator's authenticated session.

For detailed technical information and proof-of-concept examples, refer to the Exploit-DB #48200 and the VulnCheck Advisory.

Detection Methods for CVE-2020-37079

Indicators of Compromise

• Unexpected deletion of administrative user accounts in Wing FTP Server
• Audit logs showing admin account deletions without corresponding legitimate admin activity
• Reports from administrators of being locked out after visiting external websites
• HTTP request logs showing DELETE or POST requests to admin user management endpoints with unusual referer headers

Detection Strategies

• Monitor Wing FTP Server logs for administrative account modifications, especially deletions
• Review web server access logs for requests to admin endpoints with external or unexpected referer headers
• Implement alerting on any administrative user account deletions
• Correlate admin activity timestamps with browsing history to identify suspicious sequences

Monitoring Recommendations

• Enable detailed audit logging for all administrative actions in Wing FTP Server
• Configure log forwarding to a centralized SIEM for real-time correlation and alerting
• Set up alerts for administrative account changes, particularly deletions
• Monitor for unusual HTTP traffic patterns to the web administration interface

How to Mitigate CVE-2020-37079

Immediate Actions Required

• Upgrade Wing FTP Server to version 6.2.7 or later immediately
• Restrict access to the web administration interface to trusted IP addresses only
• Implement network-level controls to limit admin interface exposure
• Advise administrators to use dedicated browsers for server administration and avoid browsing untrusted sites

Patch Information

Wing FTP Server version 6.2.7 addresses this CSRF vulnerability by implementing proper request validation. Organizations should upgrade to this version or later to remediate the vulnerability. For version history and download information, visit the WFTP Server History page.

Workarounds

• Restrict web administration interface access to specific trusted IP addresses using firewall rules
• Configure administrators to use a separate browser profile or session dedicated solely to Wing FTP Server administration
• Implement network segmentation to isolate the admin interface from general network traffic
• Consider disabling the web administration interface entirely and use alternative management methods if available

# Example: Restrict admin interface access via iptables (Linux proxy/firewall)
# Only allow access from trusted admin workstation IP
iptables -A INPUT -p tcp --dport 5466 -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 5466 -j DROP