cbcvebase.
CVE-2020-13638
published 2020-11-13

CVE-2020-13638: lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
76.76%
99.5th percentile
lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in 3.9.7.

Affected

1 ranges
VendorProductVersion rangeFixed in
rconfigrconfig>= 3.9.0 < 3.9.73.9.7

Detection & IOCsextracted from sources · hover to see the quote

path/lib/crud/userprocess.php
commandPOST /lib/crud/userprocess.php with multipart/form-data; ulevelid=9&add=add&editid=<empty>
commandPOST /lib/crud/userprocess.php with body: user=<username>&pass=<password>&sublogin=1
  • Detect unauthenticated POST requests to /lib/crud/userprocess.php with 'add=add' and 'ulevelid=9' in the body, indicating an attempt to create an administrator account without authentication.
  • Successful exploitation results in a response body containing 'rConfig - Configuration Management', 'Logged in as', and 'dashboadFieldSet' — monitor for these strings in HTTP responses following a POST to /lib/crud/userprocess.php.
  • Shodan/FOFA fingerprint for exposed rConfig instances: look for HTTP title 'rConfig' or 'rconfig' to identify attack surface.
  • The exploit sequence is exactly 3 requests: (1) unauthenticated POST to /lib/crud/userprocess.php to create admin, (2) GET /login.php, (3) POST /lib/crud/userprocess.php with sublogin=1 to authenticate — correlate this 3-step pattern in web logs.
  • ·The vulnerability affects rConfig 3.9.x versions before 3.9.7 only; version 3.9.7 and later are patched.
  • ·The exploit is marked 'intrusive' — the Nuclei template actually creates a real administrator account on the target system during detection.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.