CVE-2020-36897

CriticalPublic PoC

Published: 10 December 2025

Published

10 December 2025

Modified

17 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0246 85.3th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated remote code execution vulnerability in the QH.aspx file that allows attackers to upload malicious ASPX scripts. Attackers can exploit the file upload functionality by using the 'remotePath' and 'fileToUpload' parameters to…

write and execute arbitrary system commands on the server.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the unrestricted file upload flaw in QH.aspx by identifying, reporting, and correcting the vulnerability through timely patching or updates.

SI-10 Information Input Validation good match

prevent

Validates 'remotePath' and 'fileToUpload' parameters to reject malicious ASPX scripts and prevent arbitrary command execution on the server.

SI-9 Information Input Restrictions good match

prevent

Restricts classes of file upload inputs to safe types only, blocking unrestricted upload of dangerous executable ASPX files.

Security SummaryAI

CVE-2020-36897 is an unauthenticated remote code execution vulnerability affecting QiHang Media Web Digital Signage version 3.0.9. The flaw resides in the QH.aspx file, where the file upload functionality can be abused via the 'remotePath' and 'fileToUpload' parameters. This allows attackers to upload malicious ASPX scripts, enabling the execution of arbitrary system commands on the server. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

Any unauthenticated attacker with network access can exploit this vulnerability due to its low complexity and lack of required privileges or user interaction. Successful exploitation grants full remote code execution on the affected server, providing high confidentiality, integrity, and availability impacts. Attackers can write files to arbitrary locations and execute system commands, potentially leading to complete server compromise.

Advisories from VulnCheck and Zero Science document the issue, while an exploit is publicly available on Exploit-DB. No specific patches or mitigation details are outlined in the provided references.

Details

CWE(s): CWE-434

Affected Products

howfor

qihang media web digital signage

3.0.9

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Unauthenticated RCE via unrestricted file upload in public-facing web app (T1190); directly enables deployment and execution of malicious ASPX web shells (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://www.howfor.com
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/48751
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/qihang-media-web-digital-signage-unauthenticated-remote-code-execution
Third Party Advisory · disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5582.php
Exploit, Third Party Advisory · disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5582.php
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0