Wing FTP Server RCE (CVE-2026-44403) Allows Admin Lua Injection

/HIGH /CVSS 7.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-94
Wing FTP Server RCE (CVE-2026-44403) Allows Admin Lua Injection

The National Vulnerability Database has disclosed CVE-2026-44403, an authenticated remote code execution vulnerability in Wing FTP Server version 8.1.2. This flaw exists within the session serialization mechanism, allowing authenticated administrators to inject arbitrary Lua code. The vulnerability stems from improper escaping of closing delimiters during the unsafe serialization of session values into Lua source code.

Attackers can leverage this by injecting malicious Lua code into the mydirectory field of a domain administrator. When a poisoned session is subsequently loaded via loadfile(), the injected code executes. With a CVSS score of 7.2 (HIGH), this vulnerability presents a significant risk, enabling an attacker with high privileges to achieve full system compromise.

For defenders, this is a critical administrative-level exploit. While it requires authenticated access, the impact of successful exploitation is total control over the server. Organizations running Wing FTP Server 8.1.2 must prioritize patching and scrutinize administrative access logs for any suspicious activity, especially around domain administrator mydirectory modifications. Attackers will always seek to elevate privileges, and this RCE provides a direct path.

What This Means For You

  • If your organization uses Wing FTP Server, check your version immediately. Patching to a corrected version is your top priority. Audit your administrator accounts for any unauthorized access or unusual activity, as this RCE requires high privileges to exploit.

Related ATT&CK Techniques

T1505.003 Server Software Component Persistence T1059.006 Python Execution T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-44403 - Wing FTP Server Admin Lua Injection via mydirectory

Sigma YAML — free preview 
title: CVE-2026-44403 - Wing FTP Server Admin Lua Injection via mydirectory
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
  Detects the specific URI path and query parameter used in the exploitation of CVE-2026-44403. Attackers can inject Lua code into the 'mydirectory' field of a domain's configuration. This rule looks for POST requests to the '/domain/mydirectory' endpoint with the 'mydirectory' parameter present in the query string, indicating a potential attempt to exploit this vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44403/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/domain/mydirectory'
      cs-method|exact:
          - 'POST'
      cs-uri-query|contains:
          - 'mydirectory='
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44403 RCE Wing FTP Server version 8.1.2
CVE-2026-44403 RCE Authenticated remote code execution via session serialization
CVE-2026-44403 Code Injection Injection of arbitrary Lua code through the domain admin mydirectory field
CVE-2026-44403 Deserialization Unsafe serialization of session values into Lua source code without proper escaping of closing delimiters

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8449: Linux ksmbd Heap Corruption Allows Remote Kernel RCE

CVE-2026-8449 — Linux ksmbd contains a remote memory corruption vulnerability in the ACL inheritance path that allows remote clients with directory creation permissions to trigger...

vulnerabilityCVEhigh-severitycode-executioncwe-125
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 5 IOCs /⚙ 3 Sigma

Heym Sandbox Escape Vulnerability (CVE-2026-45227) Allows Arbitrary Host Commands

CVE-2026-45227 — Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions...

vulnerabilityCVEhigh-severitycwe-693
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 3 Sigma

Heym Path Traversal (CVE-2026-45225) Allows Arbitrary File Writes

CVE-2026-45225 — Heym before 0.0.21 contains a path traversal vulnerability in the file upload endpoint that allows authenticated users to write attacker-controlled files to arbitrary...

vulnerabilityCVEhigh-severitypath-traversalcwe-22
/SCW Vulnerability Desk /HIGH /7.6 /⚑ 4 IOCs /⚙ 3 Sigma