cbcvebase.
CVE-2020-10532
published 2020-03-12

CVE-2020-10532: The AD Helper component in WatchGuard Fireware before 5.8.5.10317 allows remote attackers to discover cleartext passwords via the /domains/list URI.

PriorityP352high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.79%
84.6th percentile
The AD Helper component in WatchGuard Fireware before 5.8.5.10317 allows remote attackers to discover cleartext passwords via the /domains/list URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
watchguardad_helper_firmware< 5.8.5.103175.8.5.10317

Detection & IOCsextracted from sources · hover to see the quote

url/rest/domains/list?sortCol=fullyQualifiedName&sortDir=asc
path/domains/list
  • HTTP GET request to /rest/domains/list?sortCol=fullyQualifiedName&sortDir=asc returns HTTP 200 with JSON body containing all four fields: fullyQualifiedName, logonDomain, username, and password — indicating successful credential disclosure.
  • Response body must contain all four JSON keys simultaneously: 'fullyQualifiedName', 'logonDomain', 'username', and 'password' (AND condition) to confirm exploitation.
  • No authentication is required; the endpoint is accessible by unauthenticated remote attackers, so absence of auth headers in the request is expected during exploitation.
  • ·Vulnerability is present in WatchGuard Fireware AD Helper component versions prior to 5.8.5.10317; only those versions are affected.
  • ·The vulnerable component is specifically the Threat Detection and Response (TDR) AD Helper service; the endpoint may only be exposed when TDR/AD Helper is installed and running.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.