CVE-2020-14945
published 2020-06-22CVE-2020-14945: A privilege escalation vulnerability exists within Global RADAR BSA Radar 1.6.7234.24750 and earlier that allows an authenticated, low-privileged user to…
PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.40%
95.5th percentile
A privilege escalation vulnerability exists within Global RADAR BSA Radar 1.6.7234.24750 and earlier that allows an authenticated, low-privileged user to escalate their privileges to administrator rights (i.e., the BankAdmin role) via modified SaveUser data.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| globalradar | bsa_radar | <= 1.6.7234.24750 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for POST requests to /WS/AjaxWS.asmx/SaveUser originating from non-administrative user sessions, especially where the JSON body contains "Role":"BANKADMIN" — this is the forged privilege escalation payload. ↗
- →Detect low-privileged users calling the SaveUser admin endpoint (intended only for admins to update privileges) rather than the SaveUserProfile endpoint used for normal profile saves — cross-endpoint abuse is the core exploitation mechanism. ↗
- →Alert on any account whose role transitions to BANKADMIN (BankAdmin) without a corresponding administrative action, as successful exploitation grants full administration rights. ↗
- ·The vulnerability affects BSA Radar version 1.6.7234.24750 and all earlier versions; ensure detection rules are scoped to environments running these versions. ↗
- ·Exploitation requires an already-authenticated, low-privileged session — unauthenticated access alone is insufficient to trigger this privilege escalation. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://github.com/wsummerhill/BSA-Radar_CVE-Vulnerabilitieshttps://github.com/wsummerhill/BSA-Radar_CVE-Vulnerabilities/blob/master/CVE-2020-14945%20-%20Privilege%20Escalation.mdhttps://www.exploit-db.com/exploits/48649https://github.com/wsummerhill/BSA-Radar_CVE-Vulnerabilitieshttps://github.com/wsummerhill/BSA-Radar_CVE-Vulnerabilities/blob/master/CVE-2020-14945%20-%20Privilege%20Escalation.mdhttps://www.exploit-db.com/exploits/48649
2020-06-22
Published