CVE-2020-28337

HIGH

Microweber < 1.1.20 - Authenticated Remote Code Execution via Backup Restore Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-28337. PoCs published by sl1nki.

AI-analyzed exploit summary This exploit leverages an authenticated RCE vulnerability in Microweber CMS by uploading a malicious ZIP file, moving it to the backup directory, and restoring it to achieve arbitrary PHP code execution. The payload is extracted to a predictable path due to unsafe ZIP extraction.

Description

A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.

Exploits (1)

exploitdb WORKING POC

by sl1nki · pythonwebappsphp

https://www.exploit-db.com/exploits/49856

View Code ZIP pw:eip

This exploit leverages an authenticated RCE vulnerability in Microweber CMS by uploading a malicious ZIP file, moving it to the backup directory, and restoring it to achieve arbitrary PHP code execution. The payload is extracted to a predictable path due to unsafe ZIP extraction.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microweber CMS <= 1.1.20

Auth required

Prerequisites: Valid admin credentials · Access to the target's upload functionality

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/microweber/microweber/commit/777ee9c3e7519eb3672c79ac41066175b2001b50

View Patch ZIP pw:eip

Third Party Advisory x_refsource_misc

https://sl1nki.page/advisories/CVE-2020-28337

Exploit, Patch, Third Party Advisory x_refsource_misc

https://sl1nki.page/blog/2021/02/01/microweber-zip-slip

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/162514/Microweber-CMS-1.1.20-Remote-Code-Execution.html

Scores

CVSS v3 7.2

EPSS 0.1381

EPSS Percentile 94.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (2)

microweber/microweber < 1.1.20

microweber/microweber 0 - 1.2.3Packagist

Published Feb 15, 2021

Tracked Since Feb 18, 2026