cbcvebase.
CVE-2020-11546
published 2020-07-14

CVE-2020-11546: SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
31.73%
98.1th percentile
SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to execute arbitrary PHP code via Code Injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
superwebmailersuperwebmailer< 7.40.0.015507.40.0.01550

Detection & IOCsextracted from sources · hover to see the quote

path/mailingupgrade.php
commandstep=1&Language=de{${system("ls")}}&NextBtn=Weiter+%3E
  • Detect exploitation attempts by monitoring POST requests to /mailingupgrade.php containing PHP code injection patterns in the Language parameter (e.g., `${system(...)}`)
  • Successful exploitation response body contains the strings ajax_ccea.php, ajax_getemailingactions.php, and ajax_getemailtemplates.php simultaneously — use these as positive match indicators in HTTP response body inspection
  • Identify exposed SuperWebMailer instances via Shodan query `title:"SuperWebMailer"` or FOFA query `title="superwebmailer"` as potential targets
  • The vulnerability is unauthenticated — no session cookie or authentication header is required in the exploit POST request to /mailingupgrade.php
  • ·The PoC payload uses `system("ls")` as a benign proof-of-concept command; real attackers will substitute arbitrary OS commands — detection rules should match the injection syntax pattern (e.g., `Language=` parameter containing `${...}` or PHP function calls) rather than the specific command string
  • ·The Nuclei template targets only version 7.21.0.01526 (CPE cpe:2.3:a:superwebmailer:superwebmailer:*); the wildcard CPE suggests other versions may also be in scope — scope detection broadly against the endpoint rather than version-gating

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.