cbcvebase.
CVE-2020-10181
published 2020-03-11

CVE-2020-10181: goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3.0.4.27 allows creation of arbitrary users with elevated privileges (administrator) on a…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
14.21%
96.1th percentile
goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3.0.4.27 allows creation of arbitrary users with elevated privileges (administrator) on a device, as demonstrated by a setString=new_useradministrator123456 request.

Affected

1 ranges
VendorProductVersion rangeFixed in
sumavisionenhanced_multimedia_router_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<host>/goform/formEMR30
commandsetString=new_useradministrator123456
commandcurl -X POST -d "type=11&cmd=3&language=0&slotNo=255&setString=$useradministrator$pass" "http://$host/goform/formEMR30"
path/goform/formEMR30
  • Monitor HTTP POST requests to the path /goform/formEMR30 on Sumavision EMR devices, particularly those containing POST body parameters type=11, cmd=3, and a setString field ending in 'administrator' followed by a password string, which indicates an attempt to create an admin-level user.
  • Alert on POST requests to /goform/formEMR30 where the body contains the substring 'administrator' within the setString parameter, as this is the mechanism used to assign elevated privileges to a newly created user.
  • The exploit is delivered as a CSRF attack; inspect web server logs on Sumavision EMR 3.0.4.27 devices for unexpected POST requests to /goform/formEMR30 originating from external or untrusted referrers.
  • ·The vulnerable endpoint /goform/formEMR30 accepts POST parameters type=11, cmd=3, language=0, slotNo=255, and setString formatted as <username>administrator<password>. The fixed POST body structure must be matched precisely for accurate detection; partial matches on the path alone may produce false positives on other EMR form endpoints.
  • ·This vulnerability is confirmed only on Sumavision EMR version 3.0.4.27. Detection rules should be scoped to this specific version to avoid false positives on other firmware versions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.