CVE-2020-10181
published 2020-03-11CVE-2020-10181: goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3.0.4.27 allows creation of arbitrary users with elevated privileges (administrator) on a…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
14.21%
96.1th percentile
goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3.0.4.27 allows creation of arbitrary users with elevated privileges (administrator) on a device, as demonstrated by a setString=new_useradministrator123456 request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sumavision | enhanced_multimedia_router_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandcurl -X POST -d "type=11&cmd=3&language=0&slotNo=255&setString=$useradministrator$pass" "http://$host/goform/formEMR30"↗
- →Monitor HTTP POST requests to the path /goform/formEMR30 on Sumavision EMR devices, particularly those containing POST body parameters type=11, cmd=3, and a setString field ending in 'administrator' followed by a password string, which indicates an attempt to create an admin-level user. ↗
- →Alert on POST requests to /goform/formEMR30 where the body contains the substring 'administrator' within the setString parameter, as this is the mechanism used to assign elevated privileges to a newly created user. ↗
- →The exploit is delivered as a CSRF attack; inspect web server logs on Sumavision EMR 3.0.4.27 devices for unexpected POST requests to /goform/formEMR30 originating from external or untrusted referrers. ↗
- ·The vulnerable endpoint /goform/formEMR30 accepts POST parameters type=11, cmd=3, language=0, slotNo=255, and setString formatted as <username>administrator<password>. The fixed POST body structure must be matched precisely for accurate detection; partial matches on the path alone may produce false positives on other EMR form endpoints. ↗
- ·This vulnerability is confirmed only on Sumavision EMR version 3.0.4.27. Detection rules should be scoped to this specific version to avoid false positives on other firmware versions. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Sumavision EMR Cross-Site Request Forgery (CSRF) Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2020-10181 [CRITICAL] CWE-352 Sumavision EMR Cross-Site Request Forgery (CSRF) Vulnerability
Vulnerability: Sumavision EMR Cross-Site Request Forgery (CSRF) Vulnerability
Affected: Sumavision Enhanced Multimedia Router (EMR)
Sumavision Enhanced Multimedia Router (EMR) contains a cross-site request forgery (CSRF) vulnerability allowing the creation of users with elevated privileges as administrator on a device.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-10181
Remediation Due Date: 2022-05-03
GHSA
GHSA-hx2x-p3w3-x6vh: goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3
ghsa_unreviewed·2022-05-24
CVE-2020-10181 [HIGH] CWE-269 GHSA-hx2x-p3w3-x6vh: goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3
goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3.0.4.27 allows creation of arbitrary users with elevated privileges (administrator) on a device, as demonstrated by a setString=new_useradministrator123456 request.
VulnCheck
Sumavision EMR Cross-Site Request Forgery (CSRF) Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-10181 [CRITICAL] CWE-352 Sumavision EMR Cross-Site Request Forgery (CSRF) Vulnerability
Sumavision EMR Cross-Site Request Forgery (CSRF) Vulnerability
Sumavision Enhanced Multimedia Router (EMR) contains a cross-site request forgery (CSRF) vulnerability allowing the creation of users with elevated privileges as administrator on a device.
Affected: Sumavision Enhanced Multimedia Router (EMR)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-05-03
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/156746/Enhanced-Multimedia-Router-3.0.4.27-Cross-Site-Request-Forgery.htmlhttps://github.com/s1kr10s/Sumavision_EMR3.0https://www.youtube.com/watch?v=Ufcj4D9eA5ohttp://packetstormsecurity.com/files/156746/Enhanced-Multimedia-Router-3.0.4.27-Cross-Site-Request-Forgery.htmlhttps://github.com/s1kr10s/Sumavision_EMR3.0https://www.youtube.com/watch?v=Ufcj4D9eA5ohttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10181
2020-03-11
Published
2021-11-03
Added to CISA KEV
Exploited in the wild