CVE-2019-19509

HIGH EXPLOITED IN THE WILD

rConfig 3.9.3 - Authenticated OS Command Injection via ajaxArchiveFiles.php Path Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-19509 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 3 public exploits from researchers including vikingfr, Jean-Pascal Thomas, Orange Cyberdefense, including a Metasploit module exploits/linux/http/rconfig_ajaxarchivefiles_rce.

AI-analyzed exploit summary This exploit leverages an authenticated remote code execution vulnerability in rConfig 3.9.3 by injecting a reverse shell payload via the `path` parameter in an AJAX handler. It requires valid credentials and triggers a bash reverse shell to a specified IP and port.

Description

An issue was discovered in rConfig 3.9.3. A remote authenticated user can directly execute system commands by sending a GET request to ajaxArchiveFiles.php because the path parameter is passed to the exec function without filtering, which can lead to command execution.

Exploits (3)

exploitdb WORKING POC VERIFIED
by vikingfr · pythonwebappsphp
https://www.exploit-db.com/exploits/47982

This exploit leverages an authenticated remote code execution vulnerability in rConfig 3.9.3 by injecting a reverse shell payload via the `path` parameter in an AJAX handler. It requires valid credentials and triggers a bash reverse shell to a specified IP and port.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: rConfig 3.9.3
Auth required
Prerequisites: Valid credentials for rConfig · Network access to the target · Listener set up on attacker's machine
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by Jean-Pascal Thomas, Orange Cyberdefense · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/rconfig_ajaxarchivefiles_rce.rb

This Metasploit module exploits CVE-2019-19509, a command injection vulnerability in rConfig 3.9, by chaining it with an SQL injection (CVE-2020-10220) to bypass authentication. It creates an admin user, authenticates, and executes arbitrary commands via the `path` parameter in `ajaxArchiveFiles.php`.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: rConfig 3.9.3 and 3.9.4
No auth needed
Prerequisites: Network access to the target · rConfig 3.9.x installation
devstral-2 · analyzed Apr 23, 2026 Full analysis →
exploitdb WORKING POC
rubyremotelinux
https://www.exploit-db.com/exploits/48223

This Metasploit module exploits CVE-2019-19509, a command injection vulnerability in rConfig 3.9, by chaining it with an SQL injection (CVE-2020-10220) to bypass authentication. It creates an admin user, authenticates, executes arbitrary commands via the `path` parameter in `ajaxArchiveFiles.php`, and cleans up by removing the added user.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: rConfig 3.9.3 and 3.9.4
No auth needed
Prerequisites: Network access to the target · rConfig 3.9.x installed
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/v1k1ngfr
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/156146/rConfig-3.9.3-Remote-Code-Execution.html
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/156766/Rconfig-3.x-Chained-Remote-Code-Execution.html

Scores

CVSS v3 8.8
EPSS 0.9190
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2020-12-14
InTheWild.io 2020-11-10
CWE
CWE-78
Status published
Products (1)
rconfig/rconfig 3.9.3
Published Jan 06, 2020
Tracked Since Feb 18, 2026