Cyber Resilience

CVE-2020-37090

HighPublic PoC

Published: 03 February 2026

Published
03 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0077 50.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37090 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Arox School Erp Pro. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

School ERP Pro 1.0 suffers from a file upload vulnerability in its messaging system, classified as CVE-2020-37090 and mapped to CWE-434 (Unrestricted Upload of File with Dangerous Type). The flaw allows authenticated users, such as students, to upload arbitrary PHP files through the message attachment feature. This leads to remote code execution (RCE) on the server, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.

Any remote attacker with network access can exploit this vulnerability without authentication privileges, as indicated by the CVSS metrics. By uploading a malicious PHP script via the messaging attachment, the attacker gains the ability to execute arbitrary code on the server, potentially compromising confidentiality, integrity, and availability through full system control.

Advisories and references, including those from Exploit-DB (exploit 48392) and Vulncheck, document the vulnerability and provide proof-of-concept exploits demonstrating the RCE. Archived project pages on SourceForge and the vendor site (arox.in) highlight the affected School ERP Pro 1.0 software, but no specific patches or mitigations are detailed in the available information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attachment feature, enabling remote code execution on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables unauthenticated remote code execution through unrestricted file upload of PHP scripts in a public-facing web application (School ERP Pro messaging system), directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-37084Same product: Arox School Erp Pro
CVE-2020-37089Same product: Arox School Erp Pro
CVE-2020-37088Same product: Arox School Erp Pro
CVE-2025-12352Shared CWE-434
CVE-2026-1730Shared CWE-434
CVE-2025-13067Shared CWE-434
CVE-2025-54449Shared CWE-434
CVE-2025-1070Shared CWE-434
CVE-2025-12528Shared CWE-434
CVE-2025-67325Shared CWE-434

Affected Assets

arox
school erp pro
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of uploaded files in the messaging system to reject arbitrary PHP scripts and prevent RCE.

prevent

Restricts information inputs to safe file types only, blocking uploads of dangerous PHP files through message attachments.

preventdetect

Employs malicious code protection mechanisms to scan and block PHP shells in uploaded message attachments before execution.

References