Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-15046

CWE-352Cross-Site Request Forgery (CSRF)5 documents4 sources
Severity
8.8HIGH
EPSS
0.6%
top 29.28%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Supermicro X10drh-it BiosSupermicro X10drh-it Firmware
Timeline
PublishedJun 24
Latest updateMay 24

Description

The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40 allows remote attackers to exploit a cgi/config_user.cgi CSRF issue to add new admin users. The fixed versions are BIOS 3.2 and firmware 03.88.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

🔴Vulnerability Details

2
GHSA
GHSA-rmxm-6j87-8r3p: The web interface on Supermicro X10DRH-iT motherboards with BIOS 22022-05-24
CVEList
CVE-2020-15046: The web interface on Supermicro X10DRH-iT motherboards with BIOS 22020-06-24

💥Exploits & PoCs

2
Exploit-DB
SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin)2020-07-15
Exploit-DB
SuperMicro IPMI 03.40 - Cross-Site Request Forgery (Add Admin)2020-07-08
CVE-2020-15046 (HIGH CVSS 8.8) | The web interface on Supermicro X10 | cvebase.io