CVE-2020-37090

CriticalPublic PoC

Published: 03 February 2026

Published

03 February 2026

Modified

10 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0104 77.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-37090 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Arox School Erp Pro. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of uploaded files in the messaging system to reject arbitrary PHP scripts and prevent RCE.

SI-9 Information Input Restrictions good match

prevent

Restricts information inputs to safe file types only, blocking uploads of dangerous PHP files through message attachments.

SI-3 Malicious Code Protection good match

preventdetect

Employs malicious code protection mechanisms to scan and block PHP shells in uploaded message attachments before execution.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthenticated remote code execution through unrestricted file upload of PHP scripts in a public-facing web application (School ERP Pro messaging system), directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attachment feature, enabling remote code execution on the server.

Deeper analysisAI

School ERP Pro 1.0 suffers from a file upload vulnerability in its messaging system, classified as CVE-2020-37090 and mapped to CWE-434 (Unrestricted Upload of File with Dangerous Type). The flaw allows authenticated users, such as students, to upload arbitrary PHP files through the message attachment feature. This leads to remote code execution (RCE) on the server, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.

Any remote attacker with network access can exploit this vulnerability without authentication privileges, as indicated by the CVSS metrics. By uploading a malicious PHP script via the messaging attachment, the attacker gains the ability to execute arbitrary code on the server, potentially compromising confidentiality, integrity, and availability through full system control.

Advisories and references, including those from Exploit-DB (exploit 48392) and Vulncheck, document the vulnerability and provide proof-of-concept exploits demonstrating the RCE. Archived project pages on SourceForge and the vendor site (arox.in) highlight the affected School ERP Pro 1.0 software, but no specific patches or mitigations are detailed in the available information.