Vulnerability Description
Netwin SurgeFTP version 23c8 and prior contains a vulnerability in its web-based administrative console that allows authenticated users to execute arbitrary system commands via crafted POST requests to `surgeftpmgr.cgi`. This can lead to full remote code execution on the underlying system.
Related Weaknesses (CWE)
References
- https://netwinsite.com/surgeftp/
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exp
- https://www.exploit-db.com/exploits/23522
- https://www.exploit-db.com/exploits/23601
- https://www.vulncheck.com/advisories/netwin-surgeftp-auth-rce
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exp
- https://www.exploit-db.com/exploits/23522
- https://www.exploit-db.com/exploits/23601
FAQ
What is CVE-2012-10028?
CVE-2012-10028 is a documented vulnerability. Netwin SurgeFTP version 23c8 and prior contains a vulnerability in its web-based administrative console that allows authenticated users to execute arbitrary system commands via crafted POST requests t...
How severe is CVE-2012-10028?
CVSS scoring is not yet available for CVE-2012-10028. Check NVD for updates.
Is there a patch for CVE-2012-10028?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.