CVE-2020-13638
published 2020-11-13CVE-2020-13638: lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
76.76%
99.5th percentile
lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in 3.9.7.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rconfig | rconfig | >= 3.9.0 < 3.9.7 | 3.9.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to /lib/crud/userprocess.php with 'add=add' and 'ulevelid=9' in the body, indicating an attempt to create an administrator account without authentication. ↗
- →Successful exploitation results in a response body containing 'rConfig - Configuration Management', 'Logged in as', and 'dashboadFieldSet' — monitor for these strings in HTTP responses following a POST to /lib/crud/userprocess.php. ↗
- →Shodan/FOFA fingerprint for exposed rConfig instances: look for HTTP title 'rConfig' or 'rconfig' to identify attack surface. ↗
- →The exploit sequence is exactly 3 requests: (1) unauthenticated POST to /lib/crud/userprocess.php to create admin, (2) GET /login.php, (3) POST /lib/crud/userprocess.php with sublogin=1 to authenticate — correlate this 3-step pattern in web logs. ↗
- ·The vulnerability affects rConfig 3.9.x versions before 3.9.7 only; version 3.9.7 and later are patched. ↗
- ·The exploit is marked 'intrusive' — the Nuclei template actually creates a real administrator account on the target system during detection. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-938p-268q-56rj: lib/crud/userprocess
ghsa_unreviewed·2022-05-24
CVE-2020-13638 [CRITICAL] CWE-287 GHSA-938p-268q-56rj: lib/crud/userprocess
lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in 3.9.7.
VulnCheck
rConfig rConfig Improper Privilege Management
vulncheck·2020·CVSS 9.8
CVE-2020-13638 [CRITICAL] rConfig rConfig Improper Privilege Management
rConfig rConfig Improper Privilege Management
lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in 3.9.7.
Affected: rConfig rConfig
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-19&host_type=src&vulnerability=cve-2020-13638; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-23&host_type=src&vulnerability=cve-2020-13638; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-25&host_type=src&vulnerabil
No detection rules found.
Nuclei
rConfig 3.9 - Authentication Bypass(Admin Login)
nuclei·CVSS 9.8
CVE-2020-13638 [CRITICAL] rConfig 3.9 - Authentication Bypass(Admin Login)
rConfig 3.9 - Authentication Bypass(Admin Login)
lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in 3.9.7.
Template:
id: CVE-2020-13638
info:
name: rConfig 3.9 - Authentication Bypass(Admin Login)
author: theamanrawat
severity: critical
description: |
lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in 3.9.7.
impact: |
Unauthenticated attackers can bypass authentication to create administrator accounts, leading to complete control over the rConfig installation and access to all network device configurations.
remediation: |
Upgrade to rConfig version 3.9.7 or later.
reference:
-
No writeups or analysis indexed.
2020-11-13
Published
Exploited in the wild