CVE-2020-13166

CRITICAL

MyLittleAdmin 3.8 - Unauthenticated Remote Code Execution via Hardcoded MachineKey

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-13166. PoCs published by Metasploit, Spencer McIntyre, wvu, including Metasploit module exploits/windows/http/plesk_mylittleadmin_viewstate.

AI-analyzed exploit summary This Metasploit module exploits a .NET deserialization vulnerability in myLittleAdmin for SQL Server (CVE-2020-13166) by crafting a malicious ViewState payload. It leverages hardcoded machineKey parameters to achieve remote code execution as the SQL admin user.

Description

The management tool in MyLittleAdmin 3.8 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/48513

View Code ZIP pw:eip

This Metasploit module exploits a .NET deserialization vulnerability in myLittleAdmin for SQL Server (CVE-2020-13166) by crafting a malicious ViewState payload. It leverages hardcoded machineKey parameters to achieve remote code execution as the SQL admin user.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: myLittleAdmin for SQL Server 3.8 and older

No auth needed

Prerequisites: Target running myLittleAdmin with default machineKey configuration · Network access to the myLittleAdmin interface (typically port 8401)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Spencer McIntyre, wvu · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/plesk_mylittleadmin_viewstate.rb

View Code ZIP pw:eip

This Metasploit module exploits a .NET deserialization vulnerability in myLittleAdmin for SQL Server (CVE-2020-13166) via crafted ViewState payloads. It leverages hardcoded machineKey parameters to achieve remote code execution as the SQL Admin account.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: myLittleAdmin for SQL Server 3.8 (and likely older versions)

No auth needed

Prerequisites: Target running myLittleAdmin with default machineKey configuration · Network access to the myLittleAdmin interface (typically port 8401)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/157808/Plesk-myLittleAdmin-ViewState-.NET-Deserialization.html

Scores

CVSS v3 9.8

EPSS 0.7742

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-798

Status published

Products (1)

mylittletools/mylittleadmin 3.8

Published May 19, 2020

Tracked Since Feb 18, 2026