CVE-2020-11546
published 2020-07-14CVE-2020-11546: SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
31.73%
98.1th percentile
SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to execute arbitrary PHP code via Code Injection.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| superwebmailer | superwebmailer | < 7.40.0.01550 | 7.40.0.01550 |
Detection & IOCsextracted from sources · hover to see the quote
path/mailingupgrade.php
commandstep=1&Language=de{${system("ls")}}&NextBtn=Weiter+%3E
- →Detect exploitation attempts by monitoring POST requests to /mailingupgrade.php containing PHP code injection patterns in the Language parameter (e.g., `${system(...)}`)
- →Successful exploitation response body contains the strings ajax_ccea.php, ajax_getemailingactions.php, and ajax_getemailtemplates.php simultaneously — use these as positive match indicators in HTTP response body inspection
- →Identify exposed SuperWebMailer instances via Shodan query `title:"SuperWebMailer"` or FOFA query `title="superwebmailer"` as potential targets
- →The vulnerability is unauthenticated — no session cookie or authentication header is required in the exploit POST request to /mailingupgrade.php ↗
- ·The PoC payload uses `system("ls")` as a benign proof-of-concept command; real attackers will substitute arbitrary OS commands — detection rules should match the injection syntax pattern (e.g., `Language=` parameter containing `${...}` or PHP function calls) rather than the specific command string
- ·The Nuclei template targets only version 7.21.0.01526 (CPE cpe:2.3:a:superwebmailer:superwebmailer:*); the wildcard CPE suggests other versions may also be in scope — scope detection broadly against the endpoint rather than version-gating
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rjp2-9xwv-c3mp: SuperWebMailer 7
ghsa_unreviewed·2022-05-24
CVE-2020-11546 [HIGH] CWE-74 GHSA-rjp2-9xwv-c3mp: SuperWebMailer 7
SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to execute arbitrary PHP code via Code Injection.
VulnCheck
superwebmailer superwebmailer Improper Control of Generation of Code ('Code Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-11546 [CRITICAL] superwebmailer superwebmailer Improper Control of Generation of Code ('Code Injection')
superwebmailer superwebmailer Improper Control of Generation of Code ('Code Injection')
SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to execute arbitrary PHP code via Code Injection.
Affected: superwebmailer superwebmailer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-22&host_type=src&vulnerability=cve-2020-11546; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-26&host_type=src&vulnera
No detection rules found.
Nuclei
SuperWebmailer 7.21.0.01526 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2020-11546 [CRITICAL] SuperWebmailer 7.21.0.01526 - Remote Code Execution
SuperWebmailer 7.21.0.01526 - Remote Code Execution
SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to execute arbitrary PHP code via Code Injection.
Template:
id: CVE-2020-11546
info:
name: SuperWebmailer 7.21.0.01526 - Remote Code Execution
author: Official_BlackHat13
severity: critical
description: SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to execute arbitrary PHP code via Code Injection.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary co
No writeups or analysis indexed.
2020-07-14
Published
Exploited in the wild