An insecure update feature in the /updater.php component of rConfig 3.9.6 and below allows malicious users to execute arbitrary code via a crafted ZIP file.
rconfig rconfig