CVE-2020-10548
published 2020-06-04CVE-2020-10548: rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
36.11%
98.3th percentile
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rconfig | rconfig | <= 3.9.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/devices.inc.php?search=True&searchField=antani'+union+select+(select+concat(0x223e3c42523e5b70726f6a6563742d646973636f766572795d)+limit+0,1),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+--+&searchColumn=n.id&searchOption=contains
yara
strings: $marker = "[project-discovery]" condition: $marker
- →Detect unauthenticated GET requests to /devices.inc.php with UNION-based SQL injection payloads in the 'searchField' parameter (e.g., containing 'union+select' or 'union select') combined with parameters searchColumn and searchOption.
- →Successful exploitation returns HTTP 200 with the string '[project-discovery]' (decoded from hex 0x223e3c42523e5b70726f6a6563742d646973636f766572795d) in the response body — use this as a canary/marker in response-based detection.
- →Use Shodan query 'http.title:"rconfig"', FOFA query 'title="rconfig"', or Google dork 'intitle:"rconfig"' to identify exposed rConfig instances for proactive scanning.
- →The vulnerability is unauthenticated (PR:N, UI:N) — no session cookie or login is required; any GET request to devices.inc.php with a crafted searchField is sufficient to trigger the injection.
- →Because nodes' passwords are stored in cleartext, post-exploitation lateral movement to monitored network devices should be investigated if this endpoint is found to have been accessed with injection payloads.
- ·The SQL injection uses a 10-column UNION SELECT; the number of NULLs (9) reflects the column count of the underlying query in rConfig 3.9.4 — payloads with a different NULL count will fail, so fingerprint the column count before adapting the payload.
- ·Affected versions are rConfig 3.9.4 and all previous versions; the CPE wildcard cpe:2.3:a:rconfig:rconfig:*:*:*:*:*:*:*:* confirms no lower version bound — all rConfig deployments should be treated as potentially vulnerable until patched.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-59cr-f2p3-c96w: rConfig 3
ghsa_unreviewed·2022-05-24
CVE-2020-10548 [HIGH] CWE-89 GHSA-59cr-f2p3-c96w: rConfig 3
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
VulnCheck
rConfig rConfig Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-10548 [CRITICAL] rConfig rConfig Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
rConfig rConfig Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Affected: rConfig rConfig
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-17&host_type=src&vulnerability=cve-2020-10548; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-19&host_type=sr
No detection rules found.
Nuclei
rConfig 3.9.4 - SQL Injection
nuclei·CVSS 9.8
CVE-2020-10548 [CRITICAL] rConfig 3.9.4 - SQL Injection
rConfig 3.9.4 - SQL Injection
rConfig 3.9.4 and previous versions have unauthenticated devices.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Template:
id: CVE-2020-10548
info:
name: rConfig 3.9.4 - SQL Injection
author: madrobot
severity: critical
description: rConfig 3.9.4 and previous versions have unauthenticated devices.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthor
No writeups or analysis indexed.
2020-06-04
Published
Exploited in the wild