cbcvebase.
CVE-2020-10546
published 2020-06-04

CVE-2020-10546: rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
87.33%
99.7th percentile
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

Affected

1 ranges
VendorProductVersion rangeFixed in
rconfigrconfig<= 3.9.4

Detection & IOCsextracted from sources · hover to see the quote

path/compliancepolicies.inc.php
url{{BaseURL}}/compliancepolicies.inc.php?search=True&searchColumn=policyName&searchOption=contains&searchField=antani'+union+select+(select+concat(0x223e3c42523e5b70726f6a6563742d646973636f766572795d)+limit+0,1),NULL,NULL+--+
snort
ET EXPLOIT rConfig [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT rConfig < 3.9.7 SQLi (CVE-2020-10546)"; flow:established,to_server; http.uri; content:"/compliancepolicies.inc.php"; nocase; fast_pattern; content:"searchOption=contains"; content:"searchField=antani"; pcre:"/[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,github.com/theguly/exploits/blob/master/CVE-2020-10546.py; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-10546; classtype:attempted-admin; sid:2033639; rev:2; metadata:attack_target Web_Server, created_at 2021_08_02, cve CVE_2020_10546, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_08_02;)
bytes
0x223e3c42523e5b70726f6a6563742d646973636f766572795d
  • Exploit requests target /compliancepolicies.inc.php with GET parameters: search=True, searchColumn=policyName, searchOption=contains, and a SQLi payload in searchField (e.g. 'antani' followed by UNION SELECT). Alert on co-occurrence of these parameters in a single HTTP URI.
  • The Nuclei PoC probe injects a UNION SELECT payload that returns the canary string '[project-discovery]' in the HTTP response body. Detecting this string in responses to /compliancepolicies.inc.php indicates successful blind-union SQLi exploitation.
  • The Snort/ET rule uses a PCRE to catch common SQL keywords (UNION SELECT, UPDATE SET, DELETE FROM, INSERT INTO, SHOW TABLES, EXEC, inline comments /*…*/) in the URI query string of requests to the vulnerable endpoint. Use this regex as a WAF or IDS pattern.
  • Shodan/FOFA/Google dork can be used to identify exposed rConfig instances as attack surface: search for HTTP title 'rconfig'.
  • The vulnerability is unauthenticated — no session cookie or credentials are required. Any HTTP GET to /compliancepolicies.inc.php with SQL metacharacters in searchField should be treated as a high-confidence attack attempt.
  • ·The ET Snort rule (sid:2033639) requires SSL/TLS decryption to be effective against HTTPS-protected rConfig deployments, as indicated by the 'deployment SSLDecrypt' metadata tag.
  • ·Node passwords in rConfig are stored in cleartext by default, meaning successful SQLi exploitation directly yields usable credentials for lateral movement to monitored network devices.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.