CVE-2024-50498: Wing FTP Server Exploited in RCE Chains — Patch Now

CISA KEV Addition Signals Urgent Risk

According to BleepingComputer, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-50498 to its Known Exploited Vulnerabilities (KEV) catalog. This CVE involves a path traversal vulnerability within the Wing FTP Server software, a multi-protocol file transfer solution utilized by organizations globally. The inclusion in the KEV catalog indicates that there is evidence of active exploitation in the wild, necessitating immediate action from federal agencies and private sector SOC teams.

The vulnerability carries a significant risk because, while primarily classified as a path traversal or information disclosure flaw, it serves as a foundational step for more severe attacks. Adversaries are using this flaw to facilitate RCE by chaining it with other system weaknesses. This allows an unauthenticated or low-privileged attacker to read sensitive files from the underlying operating system that should be strictly protected.

Technical Analysis of CVE-2024-50498

The vulnerability stems from insufficient validation of user-supplied input within the web-based administration interface of Wing FTP Server. By crafting specific HTTP requests, an attacker can bypass directory restrictions to access arbitrary files on the server host. This type of path traversal is particularly dangerous in the context of an FTP server, as the configuration files often store administrative credentials, session tokens, or cryptographic keys.

If an attacker successfully retrieves the config.xml or similar configuration assets, they may gain access to hashed or even plain-text credentials. Once administrative access is obtained, the attacker can leverage built-in server features—such as Lua scripting or task scheduling—to achieve full system compromise. This transition from a simple file leak to a complete RCE chain is why the CVSS score and CISA’s warning are so critical for security administrators to address.

How to Detect CVE-2024-50498 Exploit Activity

For organizations assessing their exposure, understanding how to detect CVE-2024-50498 exploit attempts is a priority. Monitoring web server logs for the Wing FTP administration console is the primary method of identification. Administrators should look for unusual URL patterns containing ../ sequences or encoded variations directed at administrative endpoints.

Furthermore, any unauthorized access to configuration files should trigger an alert within the SIEM. Since this flaw is often a precursor to Lateral Movement, defenders should also watch for secondary IoC markers, such as the creation of new administrative accounts or the execution of unexpected Lua scripts within the Wing FTP environment. Integrating EDR solutions to monitor the server process for child process spawning or unauthorized file reads is a recommended defensive posture.

Mitigation and Wing FTP Server 7.5.0 Patch Guidance

The vendor has addressed this vulnerability in recent updates. The most effective defense is to follow the official Wing FTP Server 7.5.0 patch guidance and ensure all instances are running the latest version. Specifically, version 7.5.0 contains the necessary input sanitization to prevent directory traversal via the web interface.

Beyond patching, organizations should implement the following security measures:

• Restrict Admin Access: Ensure the web administration interface is not exposed to the public internet. Use a VPN or Zero Trust Network Access (ZTNA) to gate access.
• Network Segmentation: Isolate the FTP server from critical internal resources to prevent an attacker from achieving Lateral Movement if the server is compromised.
• Least Privilege: Run the Wing FTP service under a low-privileged service account rather than a SYSTEM or root account to limit the impact of a potential RCE.

By applying these updates and monitoring for the TTP associated with path traversal, organizations can effectively neutralize the threat posed by this actively exploited vulnerability.