CVE-2023-34960

CRITICAL EXPLOITED IN THE WILD NUCLEI

Chamilo unauthenticated command injection in PowerPoint upload

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2023-34960 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 13 public exploits from researchers including Aituglo, Ap0dexMe0, ThatNotEasy, including a Metasploit module exploits/linux/http/chamilo_unauth_rce_cve_2023_34960. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2023-34960, a command injection vulnerability in Chamilo's SOAP web service. It crafts a malicious SOAP request to execute arbitrary commands via the `file_name` parameter.

Description

A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.

Exploits (13)

nomisec WORKING POC 34 stars
by Aituglo · remote
https://github.com/Aituglo/CVE-2023-34960

This PoC exploits CVE-2023-34960, a command injection vulnerability in Chamilo's SOAP web service. It crafts a malicious SOAP request to execute arbitrary commands via the `file_name` parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Chamilo (version not specified)
No auth needed
Prerequisites: Network access to the target Chamilo instance · SOAP web service endpoint exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 23 stars
by Ap0dexMe0 · poc
https://github.com/Ap0dexMe0/CVE-2023-34960

This repository contains a functional exploit for CVE-2023-34960, an unauthenticated command injection vulnerability in Chamilo. The exploit crafts a malicious SOAP request to execute arbitrary commands via the `file_name` parameter in the `wsConvertPpt` endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Chamilo (unspecified version)
No auth needed
Prerequisites: Target URL · Network access to the Chamilo instance
devstral-2 · analyzed May 16, 2026 Full analysis →
nomisec WORKING POC 22 stars
by ThatNotEasy · remote
https://github.com/ThatNotEasy/CVE-2023-34960

This is a functional exploit for CVE-2023-34960, targeting an unauthenticated command injection vulnerability in Chamilo LMS. The exploit crafts a malicious SOAP request to execute arbitrary commands via the `file_name` parameter in the `wsConvertPpt` endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Chamilo LMS (versions affected by CVE-2023-34960)
No auth needed
Prerequisites: Network access to the target Chamilo instance · SOAP endpoint exposed at `/main/webservices/additional_webservices.php`
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by Mantodkaz · remote
https://github.com/Mantodkaz/CVE-2023-34960

This repository contains a Python-based exploit for CVE-2023-34960, a command injection vulnerability in Chamilo. The exploit automates the detection and exploitation of the vulnerability by sending a malicious SOAP request to upload a web shell (wso.php).

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Chamilo (version not specified)
No auth needed
Prerequisites: Target URL list · Python environment with required libraries
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Jenderal92 · remote
https://github.com/Jenderal92/CHAMILO-CVE-2023-34960

This is a Python 2.7 exploit for CVE-2023-34960, targeting Chamilo LMS. It leverages a SOAP-based command injection vulnerability to achieve remote code execution (RCE) and uploads a PHP shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Chamilo LMS (version not specified)
No auth needed
Prerequisites: Target URL list · Network access to the vulnerable Chamilo instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
gitlab WORKING POC
by aituglo · poc
https://gitlab.com/aituglo/CVE-2023-34960

This repository contains a functional exploit for CVE-2023-34960, a command injection vulnerability in Chamilo LMS. The PoC leverages a SOAP API endpoint to execute arbitrary commands via crafted XML payloads.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Chamilo LMS (versions affected by CVE-2023-34960)
No auth needed
Prerequisites: Network access to the target Chamilo instance · SOAP endpoint exposed at /main/webservices/additional_webservices.php
devstral-2 · analyzed Feb 23, 2026 Full analysis →
gitlab WORKING POC
by mdelaclaire · poc
https://gitlab.com/mdelaclaire/CVE-2023-34960

This repository contains a functional exploit for CVE-2023-34960, a command injection vulnerability in Chamilo. The exploit leverages a crafted SOAP request to execute arbitrary commands, including downloading and uploading a shell (anon.php).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Chamilo (version not specified)
No auth needed
Prerequisites: Target URL list · Python environment with required libraries
devstral-2 · analyzed Feb 23, 2026 Full analysis →
gitlab WORKING POC
by mdelaclaire · poc
https://gitlab.com/mdelaclaire/CVE-2023-34960-ex

The repository contains a functional exploit for CVE-2023-34960, a mass unauthenticated command injection vulnerability in Chamilo. The exploit is obfuscated using base85 encoding and zlib compression, which is a common technique to bypass simple detection mechanisms.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Chamilo 1.x
No auth needed
Prerequisites: Python 3.7+ · Network access to vulnerable Chamilo instance
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WRITEUP
by tpdlshdmlrkfmcla · poc
https://github.com/tpdlshdmlrkfmcla/cve-2023-34960

The repository contains only a README.md file describing CVE-2023-34960, an RCE vulnerability in Chamilo's SOAP API. No exploit code or technical details are provided.

Classification
Writeup 30%
Attack Type
Rce
Complexity
Theoretical
Reliability
Theoretical
Target: Chamilo (version unspecified)
No auth needed
Prerequisites: Access to Chamilo SOAP API endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by tucommenceapousser · poc
https://github.com/tucommenceapousser/CVE-2023-34960-ex

This repository contains a Python-based exploit for CVE-2023-34960, a mass unauthenticated command injection vulnerability in Chamilo. The exploit is obfuscated using base85 and zlib decompression, while the hunt.py script is a scanner for finding vulnerable Chamilo instances using the Hunter.how API.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Chamilo 1.x
No auth needed
Prerequisites: Python 3.7+ · Hunter.how API key (for hunt.py)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by YongYe-Security · poc
https://github.com/YongYe-Security/CVE-2023-34960

This repository contains a Python-based exploit for CVE-2023-34960, targeting a command injection vulnerability in Chamilo LMS. The exploit crafts a malicious SOAP request to execute arbitrary commands via the `file_name` parameter in the `wsConvertPpt` endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Chamilo LMS (versions affected by CVE-2023-34960)
No auth needed
Prerequisites: Network access to the target Chamilo instance · SOAP endpoint exposed at `/main/webservices/additional_webservices.php`
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
dos
https://github.com/YongYe-Security/Chamilo_CVE-2023-34960-EXP

This repository contains a functional exploit for CVE-2023-34960, a command injection vulnerability in Chamilo LMS. The exploit crafts a malicious SOAP request to execute arbitrary commands via the `file_name` parameter in the `wsConvertPpt` endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Chamilo LMS (versions affected by CVE-2023-34960)
No auth needed
Prerequisites: Network access to the target Chamilo instance · SOAP endpoint exposed at `/main/webservices/additional_webservices.php`
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/chamilo_unauth_rce_cve_2023_34960.rb

This Metasploit module exploits an unauthenticated remote command execution vulnerability in Chamilo (CVE-2023-34960) via a malicious SOAP request to the `/main/webservices/additional_webservices.php` endpoint. It supports multiple payload types including PHP, Unix commands, and Linux droppers.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Chamilo <= 1.11.18
No auth needed
Prerequisites: Network access to the target · SOAP endpoint exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Chamilo Command Injection
CRITICALVERIFIEDby DhiyaneshDK
Shodan: http.component:"Chamilo" || http.component:"chamilo" || cpe:"cpe:2.3:a:chamilo:chamilo"

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.9399
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

VulnCheck KEV 2023-07-16
InTheWild.io 2024-09-18
CWE
CWE-77
Status published
Products (1)
chamilo/chamilo 1.11.0 - 1.11.18
Published Aug 01, 2023
Tracked Since Feb 18, 2026