CVE-2019-16662

CRITICAL EXPLOITED NUCLEI

rconfig 3.9.2 - OS Command Injection via ajaxServerSettingsChk.php rootUname Parameter

Title source: llm

Exploitation Summary

CVE-2019-16662 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Metasploit, Askar, mhaskar, including a Metasploit module exploits/unix/webapp/rconfig_install_cmd_exec. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated command injection vulnerability in rConfig via the `ajaxServerSettingsChk.php` file. It supports both in-memory and dropper-based payloads for Unix/Linux targets.

Description

An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotelinux

https://www.exploit-db.com/exploits/47602

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated command injection vulnerability in rConfig via the `ajaxServerSettingsChk.php` file. It supports both in-memory and dropper-based payloads for Unix/Linux targets.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: rConfig versions 3.9.2 and prior

No auth needed

Prerequisites: Exposed rConfig install directory · Network access to target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Askar · pythonwebappsphp

https://www.exploit-db.com/exploits/47555

View Code ZIP pw:eip

This exploit targets a remote code execution vulnerability in rConfig 3.9.2 by injecting a PHP payload via the `rootUname` parameter in an unauthenticated request to `/install/lib/ajaxHandlers/ajaxServerSettingsChk.php`. The payload establishes a reverse shell to a specified IP and port.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: rConfig v3.9.2

No auth needed

Prerequisites: Network access to the target · A listener set up on the specified IP and port

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 13 stars

by mhaskar · remote

https://github.com/mhaskar/CVE-2019-16662

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2019-16662, targeting rConfig 3.9.2. The exploit leverages an unauthenticated remote code execution vulnerability by injecting a reverse shell payload via the `ajaxServerSettingsChk.php` endpoint.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: rConfig v3.9.2

No auth needed

Prerequisites: Target must have rConfig 3.9.2 installed · Target must have the installation directory accessible · Attacker must have a listener set up for the reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by mhaskar, bcoles · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/rconfig_install_cmd_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated command injection vulnerability in rConfig versions 3.9.2 and prior via the `ajaxServerSettingsChk.php` file. It allows arbitrary command execution as the web server user by injecting commands through the `rootUname` parameter.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: rConfig <= 3.9.2

No auth needed

Prerequisites: Exposed rConfig install directory · Network access to the target

MITRE ATT&CK