CVE-2020-36898

CriticalPublic PoC

Published: 10 December 2025

Published

10 December 2025

Modified

17 December 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.1499 94.6th percentile

Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Description

QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated file deletion vulnerability in the QH.aspx endpoint that allows remote attackers to delete files without authentication. Attackers can exploit the 'data' parameter by sending a POST request with file paths to…

delete arbitrary files with web server permissions using directory traversal sequences.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates the 'data' parameter in POST requests to QH.aspx to prevent directory traversal sequences from enabling arbitrary file deletion.

AC-3 Access Enforcement good match

prevent

Enforces authentication and authorization requirements before permitting file deletion operations at the QH.aspx endpoint.

AC-6 Least Privilege good match

prevent

Limits web server process privileges to prevent deletion of critical files even if directory traversal succeeds.

Security SummaryAI

CVE-2020-36898 is an unauthenticated arbitrary file deletion vulnerability in QiHang Media Web Digital Signage version 3.0.9. The flaw resides in the QH.aspx endpoint, where remote attackers can exploit the 'data' parameter via a POST request containing directory traversal sequences to delete arbitrary files using the web server's permissions.

Any remote attacker can exploit this vulnerability without authentication (PR:N). Successful exploitation enables deletion of critical files, resulting in high integrity (I:H) and availability (A:H) impacts but no confidentiality loss (C:N), as reflected in its CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U). The issue stems from CWE-22: Improper Limitation of a Pathname to a Restricted Directory.

Advisories from VulnCheck (https://www.vulncheck.com/advisories/qihang-media-web-digital-signage-unauthenticated-arbitrary-file-deletion), Zero Science Labs (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5580.php), and an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/48749) provide additional technical details. Security practitioners should review these sources for recommended mitigations.

A public exploit is available on Exploit-DB, indicating practical exploitability despite the CVE's publication on 2025-12-10.

Details

CWE(s): CWE-22

Affected Products

howfor

qihang media web digital signage

3.0.9

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

Why these techniques?

Unauthenticated remote exploitation of public-facing web application via directory traversal (T1190) enables arbitrary file deletion for disruption and data destruction (T1107).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://www.howfor.com
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/48749
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/qihang-media-web-digital-signage-unauthenticated-arbitrary-file-deletion
Third Party Advisory · disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5580.php
Exploit, Third Party Advisory · disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5580.php
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0