Login Sign Up

CVE-2020-28062

7.2 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on HisiPHP 2.0.11 systems through specially crafted packets that bypass access controls in the file upload functionality. It affects all deployments running the vulnerable version of HisiPHP. Attackers can exploit this without authentication to gain control of affected systems.

💻 Affected Systems

Products:
  • HisiPHP
Versions: 2.0.11
Operating Systems: All platforms running HisiPHP
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations of HisiPHP 2.0.11 regardless of configuration.

📦 What is this software?

Hisiphp by Hisiphp

View all CVEs affecting Hisiphp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing remote code execution, data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to web server compromise, data exfiltration, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper network segmentation, web application firewalls, and file upload restrictions in place.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet without authentication.
🏢 Internal Only: MEDIUM - Still exploitable from internal networks but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public GitHub issues demonstrate the vulnerability and exploitation appears straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.12 or later

Vendor Advisory: https://github.com/hisiphp/hisiphp/issues/10

Restart Required: No

Instructions:

1. Backup your current installation. 2. Download HisiPHP 2.0.12 or later from official source. 3. Replace vulnerable files with patched versions. 4. Verify file permissions and ownership.

🔧 Temporary Workarounds

Disable Plugin Upload Directory

linux

Remove or restrict access to the vulnerable upload directory

chmod 000 /path/to/hisiphp/Upload/Plugins/
rm -rf /path/to/hisiphp/Upload/Plugins/

Web Application Firewall Rules

all

Block requests containing suspicious upload patterns

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate HisiPHP from critical systems
  • Deploy web application firewall with rules blocking file upload exploitation patterns

🔍 How to Verify

Check if Vulnerable:

Check HisiPHP version in admin panel or by examining source files for version 2.0.11

Check Version:

grep -r "2.0.11" /path/to/hisiphp/ || php -r "include 'config.php'; echo \$config['version'];"

Verify Fix Applied:

Verify version is 2.0.12 or later and test upload functionality with controlled payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to /Upload/Plugins/ directory
  • POST requests with suspicious file extensions
  • System command execution in web logs

Network Indicators:

  • HTTP requests with crafted multipart/form-data payloads
  • Outbound connections from web server to unknown IPs

SIEM Query:

source="web_logs" AND (uri="/Upload/Plugins/" OR file_extension IN ("php", "sh", "exe"))

📊 Metadata

CVE ID: CVE-2020-28062
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: April 4, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28062, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)