EIP-2026-107579

PRE-CVE

HelpDeskZ 1.0.2 - Arbitrary File Upload

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-107579. PoCs published by Lars Morgenroth.

AI-analyzed exploit summary This exploit leverages a time-based filename obfuscation weakness in HelpDeskZ v1.0.2 to achieve unauthenticated remote code execution by brute-forcing the MD5 hash of the uploaded PHP shell filename. The script automates the discovery of the uploaded shell by guessing the server's timestamp.

Description

HelpDeskZ 1.0.2 - Arbitrary File Upload

Exploits (1)

exploitdb WORKING POC

by Lars Morgenroth · pythonwebappsphp

https://www.exploit-db.com/exploits/40300

View Code ZIP pw:eip

This exploit leverages a time-based filename obfuscation weakness in HelpDeskZ v1.0.2 to achieve unauthenticated remote code execution by brute-forcing the MD5 hash of the uploaded PHP shell filename. The script automates the discovery of the uploaded shell by guessing the server's timestamp.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: HelpDeskZ v1.0.2

No auth needed

Prerequisites: Uploaded PHP shell via the ticket submission form · Server time synchronization for brute-force success

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026