CVE-2020-10879
published 2020-03-23CVE-2020-10879: rConfig before 3.9.5 allows command injection by sending a crafted GET request to lib/crud/search.crud.php since the nodeId parameter is passed directly to the…
PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
83.86%
99.7th percentile
rConfig before 3.9.5 allows command injection by sending a crafted GET request to lib/crud/search.crud.php since the nodeId parameter is passed directly to the exec function without being escaped.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rconfig | rconfig | < 3.9.5 | 3.9.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor GET requests to /lib/crud/search.crud.php where the 'nodeId' parameter contains shell metacharacters such as '||', '|', ';', '&', or bash redirection operators (e.g., '>&', '/dev/tcp/'). ↗
- →Detect URL-encoded bash reverse shell payloads in the 'nodeId' GET parameter of requests to search.crud.php, specifically patterns matching '%7C%7C+bash+-i' or '/dev/tcp/' after decoding. ↗
- →Flag any rConfig instance running version 3.9.4 or earlier (prior to 3.9.5) as vulnerable to this unauthenticated-post-auth command injection. ↗
- ·The exploit was tested on CentOS 7 (1908); the bash reverse shell payload assumes a Linux target. Detection on Windows-based deployments may require different indicators. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2020-03-23
Published