CVE-2020-13166

CRITICAL

MyLittleAdmin 3.8 - RCE

Title source: llm

Description

The management tool in MyLittleAdmin 3.8 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/48513

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Spencer McIntyre, wvu · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/plesk_mylittleadmin_viewstate.rb

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/157808/Plesk-myLittleAdmin-ViewState-.NET-Deserialization.html

[Exploit, Third Party Advisory] https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/

Scores

CVSS v3 9.8

EPSS 0.7742

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-798

Status published

Products (1)

mylittletools/mylittleadmin 3.8

Published May 19, 2020

Tracked Since Feb 18, 2026