CVE-2020-10547
published 2020-06-04CVE-2020-10547: rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
36.11%
98.3th percentile
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rconfig | rconfig | <= 3.9.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/compliancepolicyelements.inc.php?search=True&searchField=antani'+union+select+(select+concat(0x223e3c42523e5b70726f6a6563742d646973636f766572795d)+limit+0,1),NULL,NULL,NULL,NULL+--+&searchColumn=elementName&searchOption=contains↗
- →Detect unauthenticated GET requests to compliancepolicyelements.inc.php with UNION-based SQL injection payloads in the searchField parameter (no authentication required). ↗
- →Match HTTP 200 responses containing the canary string '[project-discovery]' (decoded from hex 0x223e3c42523e5b70726f6a6563742d646973636f766572795d) in the response body to confirm successful blind UNION SQLi exploitation. ↗
- →Alert on GET requests to /compliancepolicyelements.inc.php containing the parameters search=True, searchField with a UNION SELECT payload, searchColumn=elementName, and searchOption=contains — the exact attack pattern for CVE-2020-10547. ↗
- →Use Shodan/FOFA/Google dorks to identify exposed rConfig instances as potential targets: Shodan 'http.title:"rconfig"', FOFA 'title="rconfig"', Google 'intitle:"rconfig"'. ↗
- ·Nodes' passwords are stored in cleartext by default in rConfig, meaning successful SQL injection directly exposes credentials for all monitored network devices, enabling lateral movement. ↗
- ·The vulnerability is unauthenticated — no session or credentials are required to trigger the SQL injection endpoint. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
rConfig 3.9.4 - SQL Injection
nuclei·CVSS 9.8
CVE-2020-10547 [CRITICAL] rConfig 3.9.4 - SQL Injection
rConfig 3.9.4 - SQL Injection
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because nodes' passwords are stored by default in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Template:
id: CVE-2020-10547
info:
name: rConfig 3.9.4 - SQL Injection
author: madrobot
severity: critical
description: rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because nodes' passwords are stored by default in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries,
No writeups or analysis indexed.
2020-06-04
Published