Attack Chain

1. The attacker authenticates to the Wing FTP Server as an administrator.
2. The attacker navigates to the domain admin settings.
3. The attacker modifies the mydirectory field with a malicious Lua payload containing code injection.
4. The server serializes the session data, including the injected Lua code, into a session file without proper sanitization.
5. The server saves the modified session data.
6. The server loads the session file, using the loadfile() function to interpret the session data as Lua code.
7. The injected Lua code is executed due to the insecure deserialization process.
8. The attacker achieves remote code execution on the server.

Impact

Successful exploitation of this vulnerability (CVE-2026-44403) grants the attacker the ability to execute arbitrary code on the Wing FTP Server. This can lead to complete compromise of the server, including data theft, modification, or destruction. Given that FTP servers are often used to store sensitive data, this vulnerability poses a significant risk to data confidentiality and integrity. There is no information about the number of victims, but any organization using Wing FTP Server 8.1.2 with admin accounts exposed is at risk.

Recommendation

• Upgrade to a patched version of Wing FTP Server that addresses CVE-2026-44403.
• Deploy the Sigma rule Detect Wing FTP Server CVE-2026-44403 RCE Attempt to detect attempts to exploit this vulnerability.
• Monitor Wing FTP Server logs for suspicious activity related to session management and Lua code execution using the Detect Wing FTP Server Suspicious Lua Load rule.