CVE-2013-10047

CRITICAL

MiniWeb HTTP Server <= Build 300 - File Upload

Title source: llm

Description

An unrestricted file upload vulnerability exists in MiniWeb HTTP Server <= Build 300 that allows unauthenticated remote attackers to upload arbitrary files to the server’s filesystem. By abusing the upload handler and crafting a traversal path, an attacker can place a malicious .exe in system32, followed by a .mof file in the WMI directory. This triggers execution of the payload with SYSTEM privileges via the Windows Management Instrumentation service. The exploit is only viable on Windows versions prior to Vista.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/27607

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by AkaStep, bcoles · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/miniweb_upload_wbem.rb

View Code ZIP pw:eip

References (4)

[Various Sources] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/miniweb_upload_wbem.rb

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/27607

[Product] https://sourceforge.net/projects/miniweb/

[Third Party Advisory] https://www.vulncheck.com/advisories/miniweb-arbitrary-file-upload

Scores

CVSS v4 9.3

EPSS 0.6535

EPSS Percentile 98.5%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

MiniWeb/MiniWeb < Build 300

Published Aug 01, 2025

Tracked Since Feb 18, 2026