CVE-2009-20006

CRITICAL

osCommerce <= 2.2 RC2a - Unauthenticated Arbitrary File Upload via Admin File Manager

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2009-20006. PoCs published by Metasploit, flyh4t, egypt, including Metasploit module exploits/unix/webapp/oscommerce_filemanager.

AI-analyzed exploit summary This Metasploit module exploits an arbitrary PHP code execution vulnerability in osCommerce 2.2 by uploading a malicious PHP file through the admin file manager. The exploit leverages unauthenticated file upload to achieve remote code execution.

Description

osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to upload a .php file containing arbitrary code, which is then executed by the server.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubywebappsphp
https://www.exploit-db.com/exploits/16899

This Metasploit module exploits an arbitrary PHP code execution vulnerability in osCommerce 2.2 by uploading a malicious PHP file through the admin file manager. The exploit leverages unauthenticated file upload to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: osCommerce 2.2
No auth needed
Prerequisites: Network access to the target osCommerce installation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by flyh4t · phpwebappsphp
https://www.exploit-db.com/exploits/9556

This PHP script exploits a remote code execution (RCE) vulnerability in osCommerce Online Merchant 2.2 RC2a by sending a crafted HTTP POST request to save a malicious PHP file via the file manager. The exploit leverages improper input validation to upload a webshell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: osCommerce Online Merchant 2.2 RC2a
No auth needed
Prerequisites: Target must be running osCommerce Online Merchant 2.2 RC2a · File manager must be accessible without authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by egypt · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/oscommerce_filemanager.rb

This Metasploit module exploits an arbitrary PHP code execution vulnerability in osCommerce 2.2 by uploading a malicious PHP file through the admin file manager. The exploit leverages unauthenticated file upload to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: osCommerce 2.2
No auth needed
Prerequisites: Access to the admin/file_manager.php endpoint · PHP file upload functionality enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v4 9.3
EPSS 0.0114
EPSS Percentile 62.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
osCommerce/osCommerce < 2.2 RC2a
Published Sep 16, 2025
Tracked Since Feb 18, 2026