cbcvebase.
CVE-2020-13166
published 2020-05-19

CVE-2020-13166: The management tool in MyLittleAdmin 3.8 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers'…

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
77.64%
99.5th percentile
The management tool in MyLittleAdmin 3.8 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.

Affected

1 ranges
VendorProductVersion rangeFixed in
mylittletoolsmylittleadmin

Detection & IOCsextracted from sources · hover to see the quote

port8401
otherVIEWSTATE_GENERATOR: CA0B0334
path/error/index.html
otherPOST parameter: __VIEWSTATE (serialized .NET deserialization payload)
bytes
\x5c\x7e\xef\x66\x50\x63\x9d\x2c\xb8\xfa\xa0\xda\x36\xaf\x24\x45\x2d\xcf\x69\x06\x5f\x2e\xdc\x2c\x8f\x2f\x44\xc0\x22\x0b\xe2\xe5\x88\x9c\xa0\x1a\x20\x7f\xc5\xfc\xe6\x2d\x1a\x5a\x4f\x6d\x24\x10\x72\x22\x61\xe6\xa3\x3e\x77\xe0\x62\x8b\x17\xaa\x92\x80\x39\xbf
  • Detect exploitation attempts by monitoring HTTP POST requests to myLittleAdmin (default port 8401/TCP) containing a `__VIEWSTATE` parameter; a crafted ViewState signed with the hardcoded machineKey will trigger a 302 redirect to /error/index.html on successful exploitation.
  • Alert on HTTP responses containing 'myLittleAdmin for SQL Server' on port 8401 to identify exposed vulnerable instances.
  • Monitor for processes spawned by IUSRPLESK_sqladmin (the SQL Admin MSSQL anonymous account under Plesk) as an indicator of post-exploitation activity.
  • The exploit uses CmdStager flavors psh_invokewebrequest, certutil, and vbs for payload staging; monitor for certutil.exe or PowerShell Invoke-WebRequest activity originating from the myLittleAdmin process.
  • The hardcoded __VIEWSTATEGENERATOR value CA0B0334 in HTTP requests to myLittleAdmin is a strong indicator of exploitation using the known hardcoded machineKey.
  • ·The hardcoded machineKey (validationKey) is the same across ALL myLittleAdmin 3.8 installations, meaning any instance is exploitable without prior authentication or customer-specific knowledge.
  • ·Plesk installs myLittleAdmin automatically during 'full' installation as an optional component, broadening the attack surface to all Plesk Obsidian full installs with myLittleAdmin 3.8.
  • ·SSL is enabled by default in the Metasploit module; defenders should ensure TLS inspection is in place on port 8401 to detect malicious ViewState payloads in transit.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.