CVE-2013-10047

MiniWeb HTTP Server <= Build 300 - File Upload

Title source: llm

Description

An unrestricted file upload vulnerability exists in MiniWeb HTTP Server <= Build 300 that allows unauthenticated remote attackers to upload arbitrary files to the server’s filesystem. By abusing the upload handler and crafting a traversal path, an attacker can place a malicious .exe in system32, followed by a .mof file in the WMI directory. This triggers execution of the payload with SYSTEM privileges via the Windows Management Instrumentation service. The exploit is only viable on Windows versions prior to Vista.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/27607

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by AkaStep, bcoles · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/miniweb_upload_wbem.rb

View Code ZIP pw:eip

References (4)

[Various Sources] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/miniweb_upload_wbem.rb

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/27607

[Product] https://sourceforge.net/projects/miniweb/

[Third Party Advisory] https://www.vulncheck.com/advisories/miniweb-arbitrary-file-upload

Scores

EPSS 0.6180

EPSS Percentile 98.3%

Classification

CWE

CWE-434

Status draft

Timeline

Published Aug 01, 2025

Tracked Since Feb 18, 2026