cbcvebase.
CVE-2013-10047
published 2025-08-01

CVE-2013-10047: An unrestricted file upload vulnerability exists in MiniWeb HTTP Server <= Build 300 that allows unauthenticated remote attackers to upload arbitrary files to…

PriorityP269critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.99%
58.1th percentile
An unrestricted file upload vulnerability exists in MiniWeb HTTP Server <= Build 300 that allows unauthenticated remote attackers to upload arbitrary files to the server’s filesystem. By abusing the upload handler and crafting a traversal path, an attacker can place a malicious .exe in system32, followed by a .mof file in the WMI directory. This triggers execution of the payload with SYSTEM privileges via the Windows Management Instrumentation service. The exploit is only viable on Windows versions prior to Vista.

Affected

1 ranges
VendorProductVersion rangeFixed in
miniwebminiweb<= Build 300

Detection & IOCsextracted from sources · hover to see the quote

pathsystem32
filename.mof
filename.exe
  • Monitor for unauthenticated HTTP file upload requests to the MiniWeb HTTP Server (Build 300) upload handler, particularly those containing directory traversal sequences in the upload path targeting system32 or WMI directories.
  • Alert on creation of new .mof files in the WMI/WBEM directory (e.g., C:\Windows\System32\wbem\mof\), as this is the trigger mechanism for WMI-based payload execution with SYSTEM privileges.
  • Detect unexpected .exe files written to system32 by a web server process (e.g., MiniWeb), which is anomalous and indicative of exploitation of this file upload vulnerability.
  • Scope detection to Windows versions prior to Vista, as the exploit is only viable on those systems.
  • ·Exploitation is limited to Windows versions prior to Vista; the WMI .mof auto-execution mechanism was removed in Vista and later.
  • ·The Metasploit module targets specifically MiniWeb HTTP Server Build 300; other builds are not confirmed vulnerable by the available sources.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.