CVE-2020-36897

CRITICAL

QiHang Media Web Digital Signage 3.0.9 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-36897. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated remote code execution vulnerability in QiHang Media Web Digital Signage 3.0.9 by uploading a malicious ASPX script via the QH.aspx endpoint. The script allows arbitrary command execution through a crafted multipart form upload.

Description

QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated remote code execution vulnerability in the QH.aspx file that allows attackers to upload malicious ASPX scripts. Attackers can exploit the file upload functionality by using the 'remotePath' and 'fileToUpload' parameters to write and execute arbitrary system commands on the server.

Exploits (1)

exploitdb WORKING POC
by LiquidWorm · textwebappshardware
https://www.exploit-db.com/exploits/48751

This exploit demonstrates an unauthenticated remote code execution vulnerability in QiHang Media Web Digital Signage 3.0.9 by uploading a malicious ASPX script via the QH.aspx endpoint. The script allows arbitrary command execution through a crafted multipart form upload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: QiHang Media Web Digital Signage 3.0.9
No auth needed
Prerequisites: Network access to the target server · QH.aspx endpoint exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory, VDB Entry exploit
https://www.exploit-db.com/exploits/48751
Product product
http://www.howfor.com
Exploit, Third Party Advisory vendor-advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5582.php

Scores

CVSS v3 9.8
EPSS 0.0109
EPSS Percentile 61.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
howfor/qihang_media_web_digital_signage 3.0.9
Published Dec 10, 2025
Tracked Since Feb 18, 2026