cbcvebase.
CVE-2020-11698
published 2020-09-17

CVE-2020-11698: An issue was discovered in Titan SpamTitan 7.07. Improper input sanitization of the parameter community on the page snmp-x.php would allow a remote attacker to…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
73.67%
99.4th percentile
An issue was discovered in Titan SpamTitan 7.07. Improper input sanitization of the parameter community on the page snmp-x.php would allow a remote attacker to inject commands into the file snmpd.conf that would allow executing commands on the target server.

Affected

1 ranges
VendorProductVersion rangeFixed in
titanhqspamtitan

Detection & IOCsextracted from sources · hover to see the quote

path/snmp-x.php
other.1.3.6.1.4.1.8072.1.3.2.3.1.1.8.114.101.118.115.104.101.108.108
port161
filenamesnmpd.conf
  • Monitor HTTP POST requests to snmp-x.php containing newline characters (%0a or \n) in the 'community' parameter, which is the injection vector for snmpd.conf directive smuggling.
  • Detect POST requests to snmp-x.php with jaction=saveAll and a 'community' parameter containing the string 'extend' or 'exec', indicating SNMPD directive injection.
  • Alert on SNMP GET queries for OID .1.3.6.1.4.1.8072.1.3.2.3.1.1.8.114.101.118.115.104.101.108.108 (NET-SNMP-EXTEND-MIB 'revshell' entry), which is used to trigger the injected reverse shell payload.
  • The exploit requires no authentication for SpamTitan versions 7.01, 7.02, and 7.07; flag unauthenticated POST requests to snmp-x.php from external IPs.
  • The snmpd daemon runs as root; detect unexpected outbound TCP connections from the snmpd process (FreeBSD), which would indicate a successful reverse shell.
  • ·Version 7.03 requires authentication to reach snmp-x.php, unlike versions 7.01, 7.02, and 7.07 which are fully unauthenticated. Detection rules should account for both authenticated and unauthenticated POST requests to snmp-x.php.
  • ·The exploit targets FreeBSD-based SpamTitan appliances; SNMP-based detection and process monitoring rules should be scoped to FreeBSD environments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.