CVE-2020-37032

HighPublic PoCRCE

Published: 30 January 2026

Published

30 January 2026

Modified

18 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0055 68.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-37032 is a high-severity OS Command Injection (CWE-78) vulnerability in Wftpserver Wing Ftp Server. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of POST request inputs to the Lua web console, directly preventing OS command injection via malicious payloads invoking os.execute().

CM-7 Least Functionality good match

prevent

Restricts or disables the non-essential Lua-based web console functionality, eliminating the primary attack vector for authenticated remote code execution.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to limit web console access to only necessary high-privileged users, mitigating exploitation by low-privileged authenticated attackers.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.003 Windows Command Shell Execution

Adversaries may abuse the Windows command shell for execution.

attack.mitre.org →

Why these techniques?

CVE-2020-37032 enables remote exploitation of a public-facing FTP server's web console (T1190) through OS command injection, allowing arbitrary command execution on Windows via Lua's os.execute() (T1059.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution…

through the os.execute() function.

Deeper analysisAI

CVE-2020-37032 is a remote code execution vulnerability in Wing FTP Server version 6.3.8, specifically within its Lua-based web console. The issue, classified under CWE-78 (OS Command Injection), allows authenticated users to execute arbitrary system commands by sending POST requests with malicious payloads that invoke the os.execute() function, enabling operating system-level code execution.

The vulnerability can be exploited remotely by low-privileged authenticated users (PR:L) with low attack complexity (AC:L) and no user interaction required (UI:N), as indicated by its CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation provides attackers with high-impact control over confidentiality, integrity, and availability, potentially leading to full server compromise.

Advisories, including those from VulnCheck at https://www.vulncheck.com/advisories/wing-ftp-server-remote-code-execution, document the remote code execution flaw. A public exploit is available at https://www.exploit-db.com/exploits/48676, and the vendor's site is https://www.wftpserver.com/.