CVE-2020-10220

CRITICAL NUCLEI

Rconfig 3.x Chained Remote Code Execution

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2020-10220. PoCs published by Metasploit, vikingfr, CSpanias, including Metasploit module exploits/linux/http/rconfig_ajaxarchivefiles_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2020-10220 and CVE-2019-19509 in rConfig 3.9.x, chaining SQL injection for authentication bypass and command injection for remote code execution. It automates the creation of an admin user, authentication, payload execution, and cleanup.

Description

An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/48223

This Metasploit module exploits CVE-2020-10220 and CVE-2019-19509 in rConfig 3.9.x, chaining SQL injection for authentication bypass and command injection for remote code execution. It automates the creation of an admin user, authentication, payload execution, and cleanup.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: rConfig 3.9.3 and 3.9.4
No auth needed
Prerequisites: Network access to the target · rConfig 3.9.x instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by vikingfr · pythonwebappsphp
https://www.exploit-db.com/exploits/48208

This exploit demonstrates a SQL injection vulnerability in rConfig 3.9 via the 'searchColumn' parameter in 'commands.inc.php'. It extracts database names, user credentials, and device information using UNION-based SQLi techniques.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: rConfig 3.9.4
No auth needed
Prerequisites: Network access to the target rConfig instance · The vulnerable endpoint '/commands.inc.php' must be accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by CSpanias · poc
https://github.com/CSpanias/rConfig_rce

This PoC combines SQL injection and command injection to exploit rConfig 3.9.4, extracting database credentials, cracking hashes via hashcat, and optionally triggering a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce | Sqli
Complexity
Moderate
Reliability
Reliable
Target: rConfig 3.9.4
No auth needed
Prerequisites: Python 3 · requests library · hashcat · rockyou.txt wordlist · best64.rules
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by Jean-Pascal Thomas, Orange Cyberdefense · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/rconfig_ajaxarchivefiles_rce.rb

This Metasploit module exploits CVE-2020-10220 and CVE-2019-19509 in rConfig 3.9.x, chaining SQL injection for authentication bypass and command injection for remote code execution. It creates a temporary admin user, authenticates, executes payloads, and cleans up by removing the user.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: rConfig 3.9.3, 3.9.4
No auth needed
Prerequisites: Network access to target · rConfig 3.9.x installation
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

rConfig 3.9 - SQL Injection
CRITICALVERIFIEDby ritikchaddha,theamanrawat
Shodan: title:"rConfig" || http.title:"rconfig"
FOFA: title="rconfig"

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.9426
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
rconfig/rconfig < 3.9.4
Published Mar 07, 2020
Tracked Since Feb 18, 2026