The highlight parameter in the viewtopic.php script is not properly sanitized when it is decoded, this is exploited by this module to execute arbitrary php code on a vulnerable server in order to upload and execute an agent. When the target platform is Windows, this module leaves a file at the phpBB installation path with the name: decoded-XXXXXX.exe (where XXXXXX is a random number). This file will not be removed on agent uninstall, so it must be manually deleted.
CVE Link
Product Name