CVE-2026-44403 Overview
CVE-2026-44403 is an authenticated remote code execution vulnerability affecting Wing FTP Server versions prior to 8.1.3. The flaw resides in the session serialization mechanism, which writes session values into Lua source code without escaping closing delimiters. An authenticated administrator can inject arbitrary Lua code through the domain admin mydirectory field. The poisoned session is later evaluated when the server loads it through loadfile(), executing attacker-supplied code in the server context. The issue is classified under CWE-94: Improper Control of Generation of Code.
Critical Impact
Authenticated administrators can achieve arbitrary code execution on the host running Wing FTP Server, compromising confidentiality, integrity, and availability of the FTP service and underlying system.
Affected Products
- Wing FTP Server versions before 8.1.3
- wftpserver:wing_ftp_server CPE-indexed builds
- Deployments exposing the domain admin web interface
Discovery Timeline
- 2026-05-12 - CVE-2026-44403 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-44403
Vulnerability Analysis
Wing FTP Server persists session state by serializing values into Lua source files that are reloaded with loadfile(). The serializer concatenates user-controlled strings into Lua literals without escaping the literal's closing delimiter. When an authenticated administrator submits a crafted value through the domain admin mydirectory field, the input breaks out of its string context and becomes executable Lua code. On the next session load, the Lua interpreter compiles and runs the injected statements with the privileges of the Wing FTP Server process.
The defect is a code injection issue [CWE-94] rather than a memory safety flaw. Exploitation does not require crafting shellcode or bypassing memory protections, only valid administrator credentials and the ability to reach the management interface.
Root Cause
The root cause is unsafe serialization of attacker-influenced strings into a dynamically interpreted language. The session writer treats user input as inert data while the session loader treats the file as trusted source code. Because closing quote and bracket sequences are not escaped, the boundary between data and code collapses.
Attack Vector
The attack is network-reachable and requires high privileges, specifically an authenticated domain administrator account. After authenticating, the attacker submits a crafted mydirectory value containing Lua syntax that terminates the surrounding string literal and appends arbitrary statements. The payload executes when the server reloads the session file, yielding code execution under the Wing FTP Server account. See the VulnCheck Security Advisory for the full technical writeup.
Detection Methods for CVE-2026-44403
Indicators of Compromise
- Session files on disk containing unexpected Lua statements such as os.execute, io.popen, or require calls outside of normal session value assignments.
- Modifications to the domain admin mydirectory field containing closing quote characters, brackets, or newline sequences.
- Wing FTP Server processes spawning unexpected child processes such as shells, scripting interpreters, or network utilities.
Detection Strategies
- Audit administrator activity logs for changes to mydirectory values, especially entries containing Lua delimiters or control characters.
- Compare on-disk session files against a known-good baseline to detect injected code constructs.
- Alert on Wing FTP Server child processes that deviate from the documented runtime behavior of the service.
Monitoring Recommendations
- Forward Wing FTP Server administrative and session logs to a centralized SIEM for correlation with process telemetry.
- Monitor authentication events for the domain admin role and flag anomalous source IPs or off-hours logins.
- Track filesystem events on the session storage directory to detect tampering between writes and loadfile() reads.
How to Mitigate CVE-2026-44403
Immediate Actions Required
- Upgrade Wing FTP Server to version 8.1.3 or later, which addresses the unsafe session serialization path.
- Rotate all domain admin credentials and review recently created administrator accounts for unauthorized additions.
- Inspect existing session files for injected Lua code and delete or restore any that fail integrity validation.
Patch Information
The vendor resolved the issue in Wing FTP Server 8.1.3. Release notes are available on the WFTP Server History Page. Apply the update on all server nodes and restart the service to ensure the patched serializer is loaded.
Workarounds
- Restrict access to the domain admin web interface using firewall rules or a VPN until the patch is deployed.
- Enforce strong, unique credentials and multi-factor authentication for all administrator accounts.
- Limit which operators can modify the mydirectory field and review configuration changes through a change-control process.
# Configuration example: restrict admin interface to a management subnet
iptables -A INPUT -p tcp --dport 5466 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 5466 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
