cbcvebase.
CVE-2020-10547
published 2020-06-04

CVE-2020-10547: rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
36.11%
98.3th percentile
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

Affected

1 ranges
VendorProductVersion rangeFixed in
rconfigrconfig<= 3.9.4

Detection & IOCsextracted from sources · hover to see the quote

path/compliancepolicyelements.inc.php
url{{BaseURL}}/compliancepolicyelements.inc.php?search=True&searchField=antani'+union+select+(select+concat(0x223e3c42523e5b70726f6a6563742d646973636f766572795d)+limit+0,1),NULL,NULL,NULL,NULL+--+&searchColumn=elementName&searchOption=contains
  • Detect unauthenticated GET requests to compliancepolicyelements.inc.php with UNION-based SQL injection payloads in the searchField parameter (no authentication required).
  • Match HTTP 200 responses containing the canary string '[project-discovery]' (decoded from hex 0x223e3c42523e5b70726f6a6563742d646973636f766572795d) in the response body to confirm successful blind UNION SQLi exploitation.
  • Alert on GET requests to /compliancepolicyelements.inc.php containing the parameters search=True, searchField with a UNION SELECT payload, searchColumn=elementName, and searchOption=contains — the exact attack pattern for CVE-2020-10547.
  • Use Shodan/FOFA/Google dorks to identify exposed rConfig instances as potential targets: Shodan 'http.title:"rconfig"', FOFA 'title="rconfig"', Google 'intitle:"rconfig"'.
  • ·Nodes' passwords are stored in cleartext by default in rConfig, meaning successful SQL injection directly exposes credentials for all monitored network devices, enabling lateral movement.
  • ·The vulnerability is unauthenticated — no session or credentials are required to trigger the SQL injection endpoint.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.