cbcvebase.
CVE-2009-20006
published 2025-09-16

CVE-2009-20006: osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface…

PriorityP272critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.14%
62.7th percentile
osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to upload a .php file containing arbitrary code, which is then executed by the server.

Affected

1 ranges
VendorProductVersion rangeFixed in
oscommerceoscommerce<= 2.2 RC2a

Detection & IOCsextracted from sources · hover to see the quote

pathadmin/file_manager.php
  • Monitor for unauthenticated POST requests targeting admin/file_manager.php, especially those uploading .php files
  • Alert on .php file uploads via the osCommerce file manager utility from unauthenticated sessions
  • Detect webshell execution originating from the osCommerce admin file manager, running with webserver permissions
  • ·Vulnerability affects osCommerce versions up to and including 2.2 RC2a; verify target version before applying detections
  • ·A public Metasploit exploit module exists for this vulnerability, lowering the bar for exploitation significantly
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.