CVE-2020-28871

CRITICAL IN THE WILD NUCLEI

Monitorr 1.7.6m - Unauthenticated Remote Code Execution via Insecure File Upload

Title source: llm

Exploitation Summary

CVE-2020-28871 has been observed exploited in the wild (reported by InTheWild.io). EIP tracks 2 public exploits from researchers including Lyhin\'s Lab, including a Metasploit module exploits/multi/http/monitorr_webshell_rce_cve_2020_28871. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit targets Monitorr 1.7.6m by uploading a malicious PHP file via an unauthenticated file upload vulnerability, then triggering it to execute a reverse shell. The payload uses a GIF magic number to bypass basic file type checks.

Description

Remote code execution in Monitorr v1.7.6m in upload.php allows an unauthorized person to execute arbitrary code on the server-side via an insecure file upload.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Lyhin\'s Lab · pythonwebappsphp

https://www.exploit-db.com/exploits/48980

View Code ZIP pw:eip

This exploit targets Monitorr 1.7.6m by uploading a malicious PHP file via an unauthenticated file upload vulnerability, then triggering it to execute a reverse shell. The payload uses a GIF magic number to bypass basic file type checks.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Monitorr 1.7.6m

No auth needed

Prerequisites: Network access to the target · Target running Monitorr 1.7.6m

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/monitorr_webshell_rce_cve_2020_28871.rb

View Code ZIP pw:eip

This Metasploit module exploits an arbitrary file upload vulnerability in Monitorr (CVE-2020-28871) to achieve unauthenticated remote code execution. It uploads a malicious PHP webshell disguised as a GIF file and executes commands via HTTP requests.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Monitorr versions 1.7.6m, 1.7.7d and below

No auth needed

Prerequisites: Network access to the target web server · Monitorr application running with vulnerable version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Monitorr 1.7.6m - Unauthenticated Remote Code Execution

CRITICALby gy741

Shodan: http.favicon.hash:"-211006074"

FOFA: icon_hash="-211006074"

References (5)

Core 5

Core References

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/163263/Monitorr-1.7.6m-Bypass-Information-Disclosure-Shell-Upload.html

Exploit, Third Party Advisory

https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/

Exploit, Third Party Advisory, VDB Entry

https://www.exploit-db.com/exploits/48980

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/170974/Monitorr-1.7.6-Shell-Upload.html

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/171429/Monitorr-1.7.6m-1.7.7d-Remote-Code-Execution.html

Scores

CVSS v3 9.8

EPSS 0.9392

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

InTheWild.io 2021-04-18

CWE

CWE-434

Status published

Products (1)

monitorr/monitorr 1.7.6m

Published Feb 10, 2021

Tracked Since Feb 18, 2026