What is CVE-2012-10028?

CVE-2012-10028 is a vulnerability in Netwin Surgeftp, classified under OS Command Injection. Published 2025-08-05.

Is CVE-2012-10028 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Netwin Surgeftp

CVE-2012-10028

Netwin SurgeFTP version 23c8 and prior contains a vulnerability in its web-based administrative console that allows authenticated users to execute arbitrary system commands via crafted POST requests to `surgeftpmgr.cgi`. This can lead to f…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.743 (98.9th percentile) — read the EPSS interpretation.

Affected products

Netwin Surgeftp — versions 0

Weakness classification (CWE)

CWE-78 — OS Command Injection

Public proof-of-concept exploits

rapid7/metasploit-framework

References

raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/m… (exploit)
www.exploit-db.com/exploits/23522 (exploit)
www.exploit-db.com/exploits/23601 (exploit)
netwinsite.com/surgeftp/ (product)
www.vulncheck.com/advisories/netwin-surgeftp-auth-rce (third-party-advisory)

Frequently asked questions

What is CVE-2012-10028?: CVE-2012-10028 is a vulnerability in Netwin Surgeftp, classified under OS Command Injection. Published 2025-08-05.
Is CVE-2012-10028 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.