CVE-2023-45878

CRITICAL EXPLOITED NUCLEI

GibbonEdu Gibbon <25.0.1 - Arbitrary File Write

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-45878 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 9 public exploits from researchers including davidzzo23, killercd, Can0I0Ever0Enter. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-45878, an arbitrary file write vulnerability in GibbonEdu. The exploit uploads a PHP web shell via the `rubrics_visualise_saveAjax.php` endpoint and allows remote command execution or a PowerShell reverse shell.

Description

GibbonEdu Gibbon version 25.0.1 and before allows Arbitrary File Write because rubrics_visualise_saveAjax.phps does not require authentication. The endpoint accepts the img, path, and gibbonPersonID parameters. The img parameter is expected to be a base64 encoded image. If the path parameter is set, the defined path is used as the destination folder, concatenated with the absolute path of the installation directory. The content of the img parameter is base64 decoded and written to the defined file path. This allows creation of PHP files that permit Remote Code Execution (unauthenticated).

Exploits (9)

nomisec WORKING POC 3 stars
by davidzzo23 · remote
https://github.com/davidzzo23/CVE-2023-45878

This repository contains a functional exploit for CVE-2023-45878, an arbitrary file write vulnerability in GibbonEdu. The exploit uploads a PHP web shell via the `rubrics_visualise_saveAjax.php` endpoint and allows remote command execution or a PowerShell reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GibbonEdu (specific version not specified)
No auth needed
Prerequisites: Network access to the target GibbonEdu instance · Python 3 environment
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 3 stars
by killercd · remote
https://github.com/killercd/CVE-2023-45878

This exploit demonstrates an arbitrary file write vulnerability in GibbonEdu Gibbon version 25.0.1, allowing an attacker to upload a malicious PHP file and achieve remote code execution. The exploit sends a crafted POST request to the vulnerable endpoint, writes a PHP webshell, and then executes a command via a GET request.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: GibbonEdu Gibbon version 25.0.1
No auth needed
Prerequisites: Network access to the target GibbonEdu instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by Can0I0Ever0Enter · poc
https://github.com/Can0I0Ever0Enter/CVE-2023-45878

This repository contains a functional Python exploit for CVE-2023-45878, targeting a file upload vulnerability in Gibbon CMS. The exploit uploads a malicious PHP shell via a vulnerable endpoint and provides an interactive shell for remote command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Gibbon CMS (version not explicitly specified)
No auth needed
Prerequisites: Network access to the vulnerable Gibbon CMS instance · Vulnerable endpoint accessible
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by byt3loss · poc
https://github.com/byt3loss/CVE-2023-45878_to_RCE

This repository contains a functional exploit script that chains CVE-2023-45878 (arbitrary file write in Gibbon LMS) to achieve remote code execution by uploading a webshell and executing a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Gibbon LMS
No auth needed
Prerequisites: msfvenom · curl · python · network connectivity to target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by PaulDHaes · remote
https://github.com/PaulDHaes/CVE-2023-45878-POC

This repository contains a functional Python exploit for CVE-2023-45878, targeting Gibbon LMS. It uploads a PHP webshell via a file upload vulnerability and supports both single command execution and reverse shell functionality.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Gibbon LMS
No auth needed
Prerequisites: Network access to the target Gibbon LMS instance · Python 3.x environment
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by ulricvbs · remote
https://github.com/ulricvbs/gibbonlms-filewrite_rce

This repository contains a functional exploit for CVE-2023-45878, an arbitrary file write vulnerability in Gibbon LMS versions 25.0.1 and earlier. The exploit leverages unauthenticated access to the `rubrics_visualise_saveAjax.php` endpoint to upload a PHP webshell, enabling remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Gibbon LMS <= 25.0.1
No auth needed
Prerequisites: Network access to the target Gibbon LMS instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by nrazv · remote
https://github.com/nrazv/CVE-2023-45878

This repository contains a functional Go-based exploit for CVE-2023-45878, targeting GibbonEdu Gibbon versions 25.0.1 and earlier. The exploit leverages an arbitrary file write vulnerability to upload a malicious PHP shell, then executes a PowerShell reverse shell payload via HTTP.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GibbonEdu Gibbon <= 25.0.1
No auth needed
Prerequisites: Target must be running Windows Server · Network connectivity to the target · Netcat listener for reverse shell
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by dgoorden · remote
https://github.com/dgoorden/CVE-2023-45878

This repository contains a functional exploit for CVE-2023-45878, targeting an arbitrary file write vulnerability in Gibbon LMS 25.0.1. The exploit uploads a PHP web shell and triggers a PowerShell reverse shell to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Gibbon LMS 25.0.1
No auth needed
Prerequisites: Target URL with Gibbon LMS installed · Attacker-controlled IP and port for reverse shell · Network connectivity to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/0xyy66/CVE-2023-45878_to_RCE

This repository contains a functional exploit script for CVE-2023-45878, which chains an arbitrary file write vulnerability in Gibbon LMS to achieve remote code execution (RCE) on Windows targets. The script automates the generation of a reverse shell payload, uploads a webshell, and executes the payload on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Gibbon LMS
No auth needed
Prerequisites: msfvenom · curl · Python HTTP server · network connectivity to target
devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

Gibbon LMS <= v25.0.01 - File Upload to RCE
CRITICALVERIFIEDby ajdumanhug
Shodan: http.favicon.hash:-165631681 || http.favicon.hash:"-165631681"
FOFA: icon_hash="-165631681"

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.9256
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2025-05-19
CWE
CWE-787
Status published
Products (1)
gibbonedu/gibbon < 25.0.01
Published Nov 14, 2023
Tracked Since Feb 18, 2026