CVE-2018-20166

HIGH

Rukovoditel 2.3.1 - Authenticated Remote Code Execution via Malicious Background Image Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-20166. PoCs published by AkkuS.

AI-analyzed exploit summary This Metasploit module exploits an authenticated file upload vulnerability in Rukovoditel Project Management/CRM 2.3.1 by bypassing extension checks with a .pHp extension and embedding a GIF header to upload a malicious PHP payload.

Description

A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?module=configuration/save allows the user to upload a background image, and mishandles extension checking. It accepts uploads of PHP content if the first few characters match GIF data, and the filename ends in ".php" with mixed case, such as the .pHp extension.

Exploits (1)

exploitdb WORKING POC
by AkkuS · rubywebappsphp
https://www.exploit-db.com/exploits/46011

This Metasploit module exploits an authenticated file upload vulnerability in Rukovoditel Project Management/CRM 2.3.1 by bypassing extension checks with a .pHp extension and embedding a GIF header to upload a malicious PHP payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Rukovoditel Project Management/CRM <= 2.3.1
Auth required
Prerequisites: Valid credentials for the target application · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46011

Scores

CVSS v3 8.8
EPSS 0.0382
EPSS Percentile 88.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (1)
rukovoditel/rukovoditel 2.3.1
Published Jan 02, 2019
Tracked Since Feb 18, 2026