cbcvebase.
CVE-2020-11107
published 2020-04-02

CVE-2020-11107: An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , and 7.4.x before 7.4.4 on Windows. An unprivileged user can change a .exe configuration…

PriorityP267high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
22.47%
97.4th percentile
An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , and 7.4.x before 7.4.4 on Windows. An unprivileged user can change a .exe configuration in xampp-contol.ini for all users (including admins) to enable arbitrary command execution.

Affected

3 ranges
VendorProductVersion rangeFixed in
apachefriendsxampp< 7.2.297.2.29
apachefriendsxampp>= 7.3.0 < 7.3.167.3.16
apachefriendsxampp>= 7.4.0 < 7.4.47.4.4

Detection & IOCsextracted from sources · hover to see the quote

pathC:\xampp\xampp-control.ini
filenamexampp-control.ini
  • Monitor for unauthorized write access to C:\xampp\xampp-control.ini by non-administrative (unprivileged) users, as exploitation involves modifying the .exe path entry in this file.
  • Detect PowerShell commands that read and modify xampp-control.ini using Get-Content / Set-Content to replace an executable path, which is the exploitation technique used in the public PoC.
  • Alert on processes spawned from paths referenced inside xampp-control.ini (especially non-standard or temp-directory paths such as C:\temp\) when launched in the context of XAMPP control panel execution.
  • ·The vulnerability affects XAMPP on Windows only; versions before 7.2.29, 7.3.x before 7.3.16, and 7.4.x before 7.4.4 are impacted. The exploit was tested specifically on Windows 10 with XAMPP 7.3.10.
  • ·The exploit payload path (C:\temp\msf.exe) is attacker-controlled and will vary per intrusion; defenders should focus on the INI modification behaviour rather than a static payload path.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.