cbcvebase.
CVE-2020-10548
published 2020-06-04

CVE-2020-10548: rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
36.11%
98.3th percentile
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

Affected

1 ranges
VendorProductVersion rangeFixed in
rconfigrconfig<= 3.9.4

Detection & IOCsextracted from sources · hover to see the quote

path/devices.inc.php
url{{BaseURL}}/devices.inc.php?search=True&searchField=antani'+union+select+(select+concat(0x223e3c42523e5b70726f6a6563742d646973636f766572795d)+limit+0,1),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+--+&searchColumn=n.id&searchOption=contains
yara
strings: $marker = "[project-discovery]" condition: $marker
  • Detect unauthenticated GET requests to /devices.inc.php with UNION-based SQL injection payloads in the 'searchField' parameter (e.g., containing 'union+select' or 'union select') combined with parameters searchColumn and searchOption.
  • Successful exploitation returns HTTP 200 with the string '[project-discovery]' (decoded from hex 0x223e3c42523e5b70726f6a6563742d646973636f766572795d) in the response body — use this as a canary/marker in response-based detection.
  • Use Shodan query 'http.title:"rconfig"', FOFA query 'title="rconfig"', or Google dork 'intitle:"rconfig"' to identify exposed rConfig instances for proactive scanning.
  • The vulnerability is unauthenticated (PR:N, UI:N) — no session cookie or login is required; any GET request to devices.inc.php with a crafted searchField is sufficient to trigger the injection.
  • Because nodes' passwords are stored in cleartext, post-exploitation lateral movement to monitored network devices should be investigated if this endpoint is found to have been accessed with injection payloads.
  • ·The SQL injection uses a 10-column UNION SELECT; the number of NULLs (9) reflects the column count of the underlying query in rConfig 3.9.4 — payloads with a different NULL count will fail, so fingerprint the column count before adapting the payload.
  • ·Affected versions are rConfig 3.9.4 and all previous versions; the CPE wildcard cpe:2.3:a:rconfig:rconfig:*:*:*:*:*:*:*:* confirms no lower version bound — all rConfig deployments should be treated as potentially vulnerable until patched.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.