CVE-2009-3705
Achievo < 1.4.0 - Remote Code Execution via Debugger Config Parameter
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2009-3705. PoCs published by M3NW5.
AI-analyzed exploit summary This is a writeup describing a Remote File Include (RFI) vulnerability in Achievo 1.3.4 via the debugger.php file. The exploit leverages the 'config_atkroot' parameter to include arbitrary remote files.
Description
PHP remote file inclusion vulnerability in debugger.php in Achievo before 1.4.0 allows remote attackers to execute arbitrary PHP code via a URL in the config_atkroot parameter.
Exploits (1)
exploitdb
WRITEUP
VERIFIED
by M3NW5 · textwebappsphp
https://www.exploit-db.com/exploits/9839
This is a writeup describing a Remote File Include (RFI) vulnerability in Achievo 1.3.4 via the debugger.php file. The exploit leverages the 'config_atkroot' parameter to include arbitrary remote files.
Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target:
Achievo 1.3.4
No auth needed
Prerequisites:
Remote file inclusion must be enabled on the target server · Attacker must be able to host a malicious file on a remote server
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://securitytracker.com/id?1023017
Exploit x_refsource_misc
http://packetstormsecurity.org/0909-exploits/achievo134-rfi.txt
Not Applicable x_refsource_confirm
http://www.achievo.org/download/releasenotes/1_4_0
Scores
EPSS
0.0940
EPSS Percentile
94.8%
Details
CWE
CWE-94
Status
published
Products (21)
achievo/achievo
0.7.0
achievo/achievo
0.7.1
achievo/achievo
0.7.2
achievo/achievo
0.7.3
achievo/achievo
0.8.0 (3 CPE variants)
achievo/achievo
0.8.1
achievo/achievo
0.9.0
achievo/achievo
0.9.1
achievo/achievo
1.0.0 (4 CPE variants)
achievo/achievo
1.0.1
... and 11 more
Published
Oct 16, 2009
Tracked Since
Feb 18, 2026