CVE-2020-12146
published 2020-11-05CVE-2020-12146: In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+, an authenticated user can access, modify, and delete restricted files on the…
PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
27.57%
97.8th percentile
In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+, an authenticated user can access, modify, and delete restricted files on the Orchestrator server using the/debugFiles REST API.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| silver-peak | unity_orchestrator | < 8.9.11\+ | 8.9.11\+ |
| silver-peak | unity_orchestrator | >= 8.10 < 8.10.11\+ | 8.10.11\+ |
| silver-peak | unity_orchestrator | >= 9.0 < 9.0.1\+ | 9.0.1\+ |
| silver_peak_systems_inc | unity_orchestrator | — | — |
| silver_peak_systems_inc | unity_orchestrator | — | — |
| silver_peak_systems_inc | unity_orchestrator | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/gms/rest/debugFiles/delete
path../phantomGenImg.js
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Silver Peak Unity Orchestrator Exploitation Inbound (CVE-2020-12146)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gms/rest/debugFiles/delete"; startswith; http.host; pcre:"/(?:localhost|127\.0\.0\.1)/"; http.request_body; content:"../phantomGenImg.js"; fast_pattern; reference:cve,CVE-2020-12145; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-12146/CVE-2020-12146.rules; reference:cve,CVE-2020-12146; reference:cve,2020-12146; classtype:attempted-admin; sid:2031494; rev:2; metadata:attack_target Server, created_at 2021_01_07, cve CVE_2020_12146, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_04;)
- →Look for HTTP POST requests to the /gms/rest/debugFiles REST API endpoint, which is the vulnerable path for file access, modification, and deletion. ↗
- →The exploit specifically targets the /gms/rest/debugFiles/delete endpoint via HTTP POST, indicating a path traversal/file deletion attack vector.
- →The exploit uses a path traversal payload (../phantomGenImg.js) in the HTTP request body as the fast_pattern anchor — alert on this string in POST bodies to the debugFiles endpoint.
- →The exploit targets requests where the HTTP Host header is localhost or 127.0.0.1, suggesting server-side request forgery or local loopback abuse as part of the attack chain.
- ·The Suricata/Snort rule references CVE-2020-12145 alongside CVE-2020-12146, suggesting this rule may be intended to cover a chained exploit scenario involving both CVEs. Ensure coverage for both when deploying.
- ·The vulnerability requires an authenticated user session — unauthenticated access alone is not sufficient. Detection should account for sessions that have already passed authentication. ↗
- ·Affected versions are Silver Peak Unity Orchestrator prior to 8.9.11+, 8.10.11+, or 9.0.1+. Scope detection rules to these version ranges where version fingerprinting is available. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Silver Peak Unity Orchestrator Exploitation Inbound (CVE-2020-12146)
suricata·2021-01-07·CVSS 6.6
CVE-2020-12146 [MEDIUM] ET EXPLOIT Silver Peak Unity Orchestrator Exploitation Inbound (CVE-2020-12146)
ET EXPLOIT Silver Peak Unity Orchestrator Exploitation Inbound (CVE-2020-12146)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Silver Peak Unity Orchestrator Exploitation Inbound (CVE-2020-12146)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gms/rest/debugFiles/delete"; startswith; http.host; pcre:"/(?:localhost|127\.0\.0\.1)/"; http.request_body; content:"../phantomGenImg.js"; fast_pattern; reference:cve,CVE-2020-12145; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-12146/CVE-2020-12146.rules; reference:cve,CVE-2020-12146; reference:cve,2020-12146; classtype:attempted-admin; sid:2031494; rev:2; metadata:attack_target Server, created_at 2021_01_07, cve CVE_2020_12146, deployment Perimeter, deployment Interna
No public exploits indexed.
No writeups or analysis indexed.
2020-11-05
Published