CVE-2012-10028

UNKNOWN 0.0

Netwin SurgeFTP <= v23c8 Authenticated RCE

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Netwin SurgeFTP version 23c8 and prior contains a vulnerability in its web-based administrative console that allows authenticated users to execute arbitrary system commands via crafted POST requests to `surgeftpmgr.cgi`. This can lead to full remote code execution on the underlying system.

CWE	CWE-78
Vendor	netwin
Product	surgeftp
Published	Aug 5, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for netwin surgeftp

Be the first to know when new unknown vulnerabilities affecting netwin surgeftp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Netwin / SurgeFTP

* ≤ 23c8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/netwin_surgeftp_exec.rb exploit-db.com: https://www.exploit-db.com/exploits/23522 exploit-db.com: https://www.exploit-db.com/exploits/23601 netwinsite.com: https://netwinsite.com/surgeftp/ vulncheck.com: https://www.vulncheck.com/advisories/netwin-surgeftp-auth-rce

Credits

Spencer McIntyre