It is considered high-severity (CVSS 8.6) and has been flagged by as actively exploited in the wild. Metasploit Support: A module exists within the Metasploit Framework
: Metasploit modules and public Exploit-DB scripts often use base64-encoded PowerShell or VBS stagers to establish reverse shells. Version Comparison & Technical Evolution Feature/Aspect Versions <= 4.3.8 Versions > 4.3.8 URL Encoding Standard handling Different encoding logic that breaks some legacy exploits Lua Interpreter Introduced in v3.0.0; fully exploitable via os.execute Present, but often with improved input sanitization Default Privileges Runs as NT AUTHORITY/SYSTEM (Windows) or root (Linux) Same default, but newer patches mitigate the injection path Operational Impact wing ftp server 4.3.8
Modern versions of Wing FTP Server offer vital enhancements that version 4.3.8 lacks: It is considered high-severity (CVSS 8