Wing FTP Server - Authenticated RCE Severity: High Date: January 13, 2026 Affecting: Wing FTP Server 4.3.8 CVE ID: CVE-2022-50934 CWE: CWE-94 Improper Control of Generation of Code ('Code Injection') CVSS Score: 9.1 CVSS Vector: CVSS:3.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Links ExploitDB Wing FTP Server Official Homepage Credit notcos Description Wing FTP Server versions 4.3.8 and below contain an authenticated remote code execution vulnerability that allows attackers to execute arbitrary PowerShell commands through the admin interface. Attackers can leverage a crafted Lua script payload with base64-encoded PowerShell to establish a reverse TCP shell by authenticating and sending a malicious request to the admin panel.