CVE-2020-37090

CriticalPublic PoC

Published: 03 February 2026

Published

03 February 2026

Modified

10 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0104 77.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attachment feature, enabling remote code execution on the server.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of uploaded files in the messaging system to reject arbitrary PHP scripts and prevent RCE.

SI-9 Information Input Restrictions good match

prevent

Restricts information inputs to safe file types only, blocking uploads of dangerous PHP files through message attachments.

SI-3 Malicious Code Protection good match

preventdetect

Employs malicious code protection mechanisms to scan and block PHP shells in uploaded message attachments before execution.

Security SummaryAI

School ERP Pro 1.0 suffers from a file upload vulnerability in its messaging system, classified as CVE-2020-37090 and mapped to CWE-434 (Unrestricted Upload of File with Dangerous Type). The flaw allows authenticated users, such as students, to upload arbitrary PHP files through the message attachment feature. This leads to remote code execution (RCE) on the server, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.

Any remote attacker with network access can exploit this vulnerability without authentication privileges, as indicated by the CVSS metrics. By uploading a malicious PHP script via the messaging attachment, the attacker gains the ability to execute arbitrary code on the server, potentially compromising confidentiality, integrity, and availability through full system control.

Advisories and references, including those from Exploit-DB (exploit 48392) and Vulncheck, document the vulnerability and provide proof-of-concept exploits demonstrating the RCE. Archived project pages on SourceForge and the vendor site (arox.in) highlight the affected School ERP Pro 1.0 software, but no specific patches or mitigations are detailed in the available information.

Details

CWE(s): CWE-434

Affected Products

arox

school erp pro

1.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthenticated remote code execution through unrestricted file upload of PHP scripts in a public-facing web application (School ERP Pro messaging system), directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://web.archive.org/web/20190612111732/https://sourceforge.net/projects/school-erp-ultimate/
Product · disclosure@vulncheck.com
https://web.archive.org/web/20200129123503/http://arox.in/
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/48392
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/school-erp-pro-remote-code-execution
Third Party Advisory · disclosure@vulncheck.com