Cyber Resilience

CVE-2020-36897

CriticalPublic PoC

Published: 10 December 2025

Published
10 December 2025
Modified
17 December 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0359 88.0th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-36897 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Howfor Qihang Media Web Digital Signage. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-36897 is an unauthenticated remote code execution vulnerability affecting QiHang Media Web Digital Signage version 3.0.9. The flaw resides in the QH.aspx file, where the file upload functionality can be abused via the 'remotePath' and 'fileToUpload' parameters. This allows attackers to upload malicious ASPX scripts, enabling the execution of arbitrary system commands on the server. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

Any unauthenticated attacker with network access can exploit this vulnerability due to its low complexity and lack of required privileges or user interaction. Successful exploitation grants full remote code execution on the affected server, providing high confidentiality, integrity, and availability impacts. Attackers can write files to arbitrary locations and execute system commands, potentially leading to complete server compromise.

Advisories from VulnCheck and Zero Science document the issue, while an exploit is publicly available on Exploit-DB. No specific patches or mitigation details are outlined in the provided references.

EU & UK References

Vulnerability details

QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated remote code execution vulnerability in the QH.aspx file that allows attackers to upload malicious ASPX scripts. Attackers can exploit the file upload functionality by using the 'remotePath' and 'fileToUpload' parameters to…

more

write and execute arbitrary system commands on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unauthenticated RCE via unrestricted file upload in public-facing web app (T1190); directly enables deployment and execution of malicious ASPX web shells (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-36898Same product: Howfor Qihang Media Web Digital Signage
CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434
CVE-2026-42748Shared CWE-434

Affected Assets

howfor
qihang media web digital signage
3.0.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the unrestricted file upload flaw in QH.aspx by identifying, reporting, and correcting the vulnerability through timely patching or updates.

prevent

Validates 'remotePath' and 'fileToUpload' parameters to reject malicious ASPX scripts and prevent arbitrary command execution on the server.

prevent

Restricts classes of file upload inputs to safe types only, blocking unrestricted upload of dangerous executable ASPX files.

References