cbcvebase.
CVE-2020-12146
published 2020-11-05

CVE-2020-12146: In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+, an authenticated user can access, modify, and delete restricted files on the…

PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
27.57%
97.8th percentile
In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+, an authenticated user can access, modify, and delete restricted files on the Orchestrator server using the/debugFiles REST API.

Affected

6 ranges
VendorProductVersion rangeFixed in
silver-peakunity_orchestrator< 8.9.11\+8.9.11\+
silver-peakunity_orchestrator>= 8.10 < 8.10.11\+8.10.11\+
silver-peakunity_orchestrator>= 9.0 < 9.0.1\+9.0.1\+
silver_peak_systems_incunity_orchestrator
silver_peak_systems_incunity_orchestrator
silver_peak_systems_incunity_orchestrator

Detection & IOCsextracted from sources · hover to see the quote

url/gms/rest/debugFiles/delete
path../phantomGenImg.js
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Silver Peak Unity Orchestrator Exploitation Inbound (CVE-2020-12146)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gms/rest/debugFiles/delete"; startswith; http.host; pcre:"/(?:localhost|127\.0\.0\.1)/"; http.request_body; content:"../phantomGenImg.js"; fast_pattern; reference:cve,CVE-2020-12145; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-12146/CVE-2020-12146.rules; reference:cve,CVE-2020-12146; reference:cve,2020-12146; classtype:attempted-admin; sid:2031494; rev:2; metadata:attack_target Server, created_at 2021_01_07, cve CVE_2020_12146, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_04;)
  • Look for HTTP POST requests to the /gms/rest/debugFiles REST API endpoint, which is the vulnerable path for file access, modification, and deletion.
  • The exploit specifically targets the /gms/rest/debugFiles/delete endpoint via HTTP POST, indicating a path traversal/file deletion attack vector.
  • The exploit uses a path traversal payload (../phantomGenImg.js) in the HTTP request body as the fast_pattern anchor — alert on this string in POST bodies to the debugFiles endpoint.
  • The exploit targets requests where the HTTP Host header is localhost or 127.0.0.1, suggesting server-side request forgery or local loopback abuse as part of the attack chain.
  • ·The Suricata/Snort rule references CVE-2020-12145 alongside CVE-2020-12146, suggesting this rule may be intended to cover a chained exploit scenario involving both CVEs. Ensure coverage for both when deploying.
  • ·The vulnerability requires an authenticated user session — unauthenticated access alone is not sufficient. Detection should account for sessions that have already passed authentication.
  • ·Affected versions are Silver Peak Unity Orchestrator prior to 8.9.11+, 8.10.11+, or 9.0.1+. Scope detection rules to these version ranges where version fingerprinting is available.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.