PT-2025-31980 · Netwin · Surgeftp
Published
2025-08-05
·
Updated
2025-08-05
·
CVE-2012-10028
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Netwin SurgeFTP versions 23c8 and earlier
Description
Netwin SurgeFTP contains a flaw in its web-based administrative console that allows authenticated users to execute arbitrary system commands via crafted POST requests to the
surgeftpmgr.cgi endpoint. This can lead to full remote code execution on the underlying system.Recommendations
Versions prior to 23c8 should be updated.
As a temporary workaround, restrict access to the
surgeftpmgr.cgi endpoint to minimize the risk of exploitation.Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Surgeftp