CVE-2023-54335

CRITICAL

eXtplorer < 2.1.14 - Unauthenticated Authentication Bypass and Remote Code Execution

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-54335. PoCs published by ErPaciocco.

AI-analyzed exploit summary This exploit demonstrates an authentication bypass vulnerability in eXtplorer <= 2.1.14 by omitting the password field in a POST request, followed by a file upload leading to remote code execution. The script automates the process of detecting the vulnerability, bypassing authentication, and uploading a malicious PHP file.

Description

eXtplorer 2.1.14 contains an authentication bypass vulnerability that allows attackers to login without a password by manipulating the login request. Attackers can exploit this flaw to upload malicious PHP files and execute remote commands on the vulnerable file management system.

Exploits (1)

exploitdb WORKING POC

by ErPaciocco · textwebappsphp

https://www.exploit-db.com/exploits/51067

View Code ZIP pw:eip

This exploit demonstrates an authentication bypass vulnerability in eXtplorer <= 2.1.14 by omitting the password field in a POST request, followed by a file upload leading to remote code execution. The script automates the process of detecting the vulnerability, bypassing authentication, and uploading a malicious PHP file.

Classification

Working Poc 95%

Attack Type

Auth Bypass | Rce

Complexity

Moderate

Reliability

Reliable

Target: eXtplorer <= 2.1.14

No auth needed

Prerequisites: Target URL · Network access to the target

MITRE ATT&CK

T1110 - Brute Force T1078 - Valid Accounts T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/51067

Product product

https://extplorer.net/

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/extplorer-authentication-bypass-remote-code-execution-rce

Scores

CVSS v3 9.8

EPSS 0.0496

EPSS Percentile 91.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-306

Status published

Products (2)

extplorer/extplorer < 2.1.14

Extplorer/eXtplorer < 2.1.14

Published Jan 13, 2026

Tracked Since Feb 18, 2026