CVE-2022-50934: Wing FTP Server RCE Vulnerability

CVE-2022-50934 Overview

Wing FTP Server versions 4.3.8 and below contain an authenticated remote code execution vulnerability that allows attackers to execute arbitrary PowerShell commands through the admin interface. Attackers can leverage a crafted Lua script payload with base64-encoded PowerShell to establish a reverse TCP shell by authenticating and sending a malicious request to the admin panel.

Critical Impact

Authenticated attackers with admin panel access can achieve full system compromise through arbitrary PowerShell command execution, potentially leading to complete server takeover.

Affected Products

• Wing FTP Server version 4.3.8
• Wing FTP Server versions below 4.3.8

Discovery Timeline

• 2026-01-13 - CVE CVE-2022-50934 published to NVD
• 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2022-50934

Vulnerability Analysis

This vulnerability is classified as Code Injection (CWE-94), affecting the Wing FTP Server administrative interface. The flaw exists in how the server processes Lua scripts submitted through the admin panel, allowing authenticated administrators to inject and execute arbitrary system commands.

The vulnerability requires network access and valid administrative credentials to exploit. Once authenticated, an attacker can craft a malicious Lua script payload containing base64-encoded PowerShell commands. When the server processes this script, it executes the embedded PowerShell code with the privileges of the Wing FTP Server process, typically running with elevated system permissions on Windows servers.

Root Cause

The root cause of this vulnerability lies in insufficient input validation and sanitization of Lua script content processed by the admin interface. The Wing FTP Server fails to properly restrict the execution context of Lua scripts, allowing them to spawn system processes and execute arbitrary operating system commands. This design flaw enables attackers to break out of the intended Lua execution sandbox and interact directly with the underlying Windows operating system through PowerShell.

Attack Vector

The attack is conducted over the network against the Wing FTP Server admin interface. An attacker must first authenticate to the administrative panel using valid credentials. Once authenticated, the attacker submits a specially crafted request containing a malicious Lua script. This script includes base64-encoded PowerShell commands designed to establish a reverse TCP shell connection back to an attacker-controlled system.

The attack flow involves:

1. Authenticating to the Wing FTP Server admin interface
2. Crafting a Lua script payload with embedded PowerShell commands
3. Submitting the malicious request to the admin panel
4. The server processes the Lua script and executes the PowerShell payload
5. A reverse shell connection is established to the attacker's system

For technical details on the exploitation mechanism, refer to Exploit-DB #50720 and the VulnCheck Advisory.

Detection Methods for CVE-2022-50934

Indicators of Compromise

• Unusual outbound network connections from the Wing FTP Server process to external IP addresses
• PowerShell execution spawned as child processes of the Wing FTP Server service
• Base64-encoded strings in admin panel request logs or Lua script submissions
• Unexpected administrative login activity, especially from unfamiliar IP addresses

Detection Strategies

• Monitor for PowerShell process creation events originating from the Wing FTP Server process (wftpserver.exe)
• Implement web application firewall rules to detect Lua script submissions containing encoded command strings
• Review authentication logs for the admin interface to identify suspicious login patterns
• Deploy endpoint detection solutions capable of identifying reverse shell behavior and anomalous process trees

Monitoring Recommendations

• Enable verbose logging on the Wing FTP Server admin interface to capture all administrative actions
• Configure SIEM alerts for PowerShell execution events correlated with FTP server activity
• Monitor network traffic for reverse shell signatures and unexpected outbound connections on common attacker ports
• Implement file integrity monitoring on Wing FTP Server configuration and script directories

How to Mitigate CVE-2022-50934

Immediate Actions Required

• Upgrade Wing FTP Server to a version newer than 4.3.8 that addresses this vulnerability
• Restrict admin interface access to trusted IP addresses only using firewall rules
• Enforce strong, unique credentials for all administrative accounts
• Audit current administrative user accounts and remove any unnecessary or unused accounts

Patch Information

Users should upgrade Wing FTP Server to the latest available version from the official WFTP Server website. Review the VulnCheck Advisory for additional remediation guidance and version-specific patch information.

Workarounds

• Implement network segmentation to isolate the Wing FTP Server admin interface from untrusted networks
• Use a reverse proxy with additional authentication layers in front of the admin panel
• Disable Lua script functionality if not required for operations
• Deploy application whitelisting to prevent unauthorized PowerShell execution from the FTP server process

# Example: Restrict admin interface access via Windows Firewall
netsh advfirewall firewall add rule name="Block WingFTP Admin External" dir=in action=block protocol=tcp localport=5466 remoteip=any
netsh advfirewall firewall add rule name="Allow WingFTP Admin Trusted" dir=in action=allow protocol=tcp localport=5466 remoteip=192.168.1.0/24