CVE-2020-11107
published 2020-04-02CVE-2020-11107: An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , and 7.4.x before 7.4.4 on Windows. An unprivileged user can change a .exe configuration…
PriorityP267high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
22.47%
97.4th percentile
An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , and 7.4.x before 7.4.4 on Windows. An unprivileged user can change a .exe configuration in xampp-contol.ini for all users (including admins) to enable arbitrary command execution.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apachefriends | xampp | < 7.2.29 | 7.2.29 |
| apachefriends | xampp | >= 7.3.0 < 7.3.16 | 7.3.16 |
| apachefriends | xampp | >= 7.4.0 < 7.4.4 | 7.4.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthorized write access to C:\xampp\xampp-control.ini by non-administrative (unprivileged) users, as exploitation involves modifying the .exe path entry in this file. ↗
- →Detect PowerShell commands that read and modify xampp-control.ini using Get-Content / Set-Content to replace an executable path, which is the exploitation technique used in the public PoC. ↗
- →Alert on processes spawned from paths referenced inside xampp-control.ini (especially non-standard or temp-directory paths such as C:\temp\) when launched in the context of XAMPP control panel execution. ↗
- ·The vulnerability affects XAMPP on Windows only; versions before 7.2.29, 7.3.x before 7.3.16, and 7.4.x before 7.4.4 are impacted. The exploit was tested specifically on Windows 10 with XAMPP 7.3.10. ↗
- ·The exploit payload path (C:\temp\msf.exe) is attacker-controlled and will vary per intrusion; defenders should focus on the INI modification behaviour rather than a static payload path. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2020-04-02
Published