CVE-2020-36877

CRITICAL

ReQuest Serious Play F3 Media Server 7.0.3 - RCE

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-36877. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit targets an unauthenticated file upload vulnerability in ReQuest Serious Play F3 Media Server, allowing remote code execution via PHP file upload. It establishes a reverse shell by leveraging the hidden '/tools/upload.html' endpoint.

Description

ReQuest Serious Play F3 Media Server 7.0.3 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands as the web server user. Attackers can upload PHP executable files via the Quick File Uploader page, resulting in remote code execution on the server.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappshardware

https://www.exploit-db.com/exploits/48952

View Code ZIP pw:eip

This exploit targets an unauthenticated file upload vulnerability in ReQuest Serious Play F3 Media Server, allowing remote code execution via PHP file upload. It establishes a reverse shell by leveraging the hidden '/tools/upload.html' endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ReQuest Serious Play F3 Media Server 7.0.3 and earlier

No auth needed

Prerequisites: Network access to the target server · PHP execution capability on the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory vendor-advisory

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5602.php

Various Sources product

http://request.com/

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/48952

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/request-serious-play-f-media-server-unauthenticated-rce

Scores

CVSS v4 9.3

EPSS 0.0060

EPSS Percentile 44.2%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-78

Status published

Products (6)

ReQuest Serious Play LLC/ReQuest Serious Play 2.0.1.823

ReQuest Serious Play LLC/ReQuest Serious Play 6.3.2.4203

ReQuest Serious Play LLC/ReQuest Serious Play 6.4.2.4681

ReQuest Serious Play LLC/ReQuest Serious Play 6.5.2.4954

ReQuest Serious Play LLC/ReQuest Serious Play 7.0.2.4954

ReQuest Serious Play LLC/ReQuest Serious Play Pro 7.0.3.4968

Published Dec 05, 2025

Tracked Since Feb 18, 2026