SecureState Blog

Read SecureState's award winning blog.

“SurgeFTP ftp server is a secure FTP server that provides industrial strength secure SSL/TLS encryption, powerful FTP server performance, full and complete reporting tools and most importantly, ease of management” –


The SurgeFTP server’s web-based administrative console is vulnerable to remote command injection.  A specially crafted request can be sent to /cgi/surgeftpmgr.cgi to execute arbitrary commands within the context of the user running the application.  An authenticated session is required to exploit this vulnerability. The vendor was contacted regarding this vulnerability, and stated that they did not consider it to be a vulnerability.  SecureState identified both SurgeFTP versions 2.3b6 and 2.3c8 to be vulnerable.  A proof of concept exploit has been released by SecureState demonstrating this flaw.

Additional information on Surge FTP can be found here.

Exploit code can be found here.