{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/wing/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-44403"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Wing FTP Server 8.1.2"],"_cs_severities":["high"],"_cs_tags":["cve","rce","code-injection"],"_cs_type":"advisory","_cs_vendors":["Wing"],"content_html":"\u003cp\u003eWing FTP Server 8.1.2 is vulnerable to authenticated remote code execution (CVE-2026-44403) due to unsafe session serialization. An authenticated administrator can inject arbitrary Lua code through the \u003ccode\u003emydirectory\u003c/code\u003e field within the domain admin settings. This vulnerability stems from the server\u0026rsquo;s failure to properly escape closing delimiters when serializing session values into Lua source code. Successful exploitation allows attackers to execute arbitrary code on the server when the poisoned session is loaded using the \u003ccode\u003eloadfile()\u003c/code\u003e function. This is a high-severity vulnerability as it allows for complete compromise of the affected server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the Wing FTP Server as an administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the domain admin settings.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003emydirectory\u003c/code\u003e field with a malicious Lua payload containing code injection.\u003c/li\u003e\n\u003cli\u003eThe server serializes the session data, including the injected Lua code, into a session file without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe server saves the modified session data.\u003c/li\u003e\n\u003cli\u003eThe server loads the session file, using the \u003ccode\u003eloadfile()\u003c/code\u003e function to interpret the session data as Lua code.\u003c/li\u003e\n\u003cli\u003eThe injected Lua code is executed due to the insecure deserialization process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-44403) grants the attacker the ability to execute arbitrary code on the Wing FTP Server. This can lead to complete compromise of the server, including data theft, modification, or destruction. Given that FTP servers are often used to store sensitive data, this vulnerability poses a significant risk to data confidentiality and integrity. There is no information about the number of victims, but any organization using Wing FTP Server 8.1.2 with admin accounts exposed is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Wing FTP Server that addresses CVE-2026-44403.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Wing FTP Server CVE-2026-44403 RCE Attempt\u003c/code\u003e to detect attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor Wing FTP Server logs for suspicious activity related to session management and Lua code execution using the \u003ccode\u003eDetect Wing FTP Server Suspicious Lua Load\u003c/code\u003e rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T21:16:48Z","date_published":"2026-05-12T21:16:48Z","id":"https://feed.craftedsignal.io/briefs/2026-05-wing-ftp-rce/","summary":"Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability (CVE-2026-44403) in the session serialization mechanism, allowing administrators to inject arbitrary Lua code and achieve remote code execution.","title":"Wing FTP Server 8.1.2 Authenticated Remote Code Execution via Session Serialization (CVE-2026-44403)","url":"https://feed.craftedsignal.io/briefs/2026-05-wing-ftp-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Wing","version":"https://jsonfeed.org/version/1.1"}