cbcvebase.
CVE-2020-28871
published 2021-02-10

CVE-2020-28871: Remote code execution in Monitorr v1.7.6m in upload.php allows an unauthorized person to execute arbitrary code on the server-side via an insecure file upload.

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOIT
Exploited in the wild
EPSS
85.78%
99.7th percentile
Remote code execution in Monitorr v1.7.6m in upload.php allows an unauthorized person to execute arbitrary code on the server-side via an insecure file upload.

Affected

1 ranges
VendorProductVersion rangeFixed in
monitorrmonitorr

Detection & IOCsextracted from sources · hover to see the quote

path/assets/php/upload.php
path/assets/data/usrimg/
otherhttp.favicon.hash:-211006074
othericon_hash=-211006074
otherContent-Type: image/gif (with .php filename in multipart upload)
  • Detect multipart POST requests to /assets/php/upload.php with a .php filename but Content-Type: image/gif — hallmark of the CVE-2020-28871 webshell upload bypass.
  • Monitor GET requests to /assets/data/usrimg/*.php — successful exploitation results in a PHP webshell being fetched from this directory.
  • The exploit uses X-Requested-With: XMLHttpRequest and Origin headers alongside the multipart upload; correlate these with the upload.php endpoint for detection.
  • Use Shodan/FOFA favicon hash -211006074 to identify exposed Monitorr instances for proactive asset discovery.
  • The GIF magic bytes prefix 'GIF89a' prepended to PHP payload is used to bypass content-type/magic-byte checks; detect PHP files in usrimg/ starting with GIF89a.
  • Exploitation requires no authentication (unauthenticated); any POST to upload.php from an unauthenticated session should be treated as suspicious.
  • ·Affected versions include Monitorr 1.7.6m, 1.7.7d and below — ensure version scope is confirmed before applying detections to avoid false positives on patched instances.
  • ·The Nuclei template uses a two-step detection (upload then fetch); a single-step POST detection to upload.php alone may produce false positives from legitimate file upload attempts.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.