cbcvebase.
CVE-2020-15492
published 2020-07-23

CVE-2020-15492: An issue was discovered in INNEO Startup TOOLS 2017 M021 12.0.66.3784 through 2018 M040 13.0.70.3804. The sut_srv.exe web application (served on TCP port 85)…

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.59%
96.6th percentile
An issue was discovered in INNEO Startup TOOLS 2017 M021 12.0.66.3784 through 2018 M040 13.0.70.3804. The sut_srv.exe web application (served on TCP port 85) includes user input into a filesystem access without any further validation. This might allow an unauthenticated attacker to read files on the server via Directory Traversal, or possibly have unspecified other impact.

Affected

1 ranges
VendorProductVersion rangeFixed in
inneostartup_tools12.0.66.3784 – 13.0.70.3804

Detection & IOCsextracted from sources · hover to see the quote

processsut_srv.exe
path/../../../../../../../../../../
pathPROGRA~2/stools
pathsoftware/LOG/sut_server_%s.log\0.php
commandpowershell.exe -exec bypass -EncodedCommand
  • Detect directory traversal attempts against TCP port 85 (sut_srv.exe) containing repeated '../' sequences — the exploit uses a traversal depth of at least 10 levels ('/../' × 10).
  • Alert on HTTP GET requests to port 85 whose path contains a null-byte followed by '.php' (e.g., '.log\0.php'), indicating log-poisoning / LFI-to-RCE via PHP null-byte injection.
  • Monitor for HTTP GET requests to port 85 targeting paths under 'software/LOG/' combined with traversal sequences, which indicates the attacker is attempting to include a poisoned log file for RCE.
  • Detect child processes of sut_srv.exe spawning powershell.exe with '-exec bypass -EncodedCommand', which is the final RCE payload delivery mechanism.
  • ·Affected versions are INNEO Startup TOOLS 2017 M021 12.0.66.3784 through 2018 M040 13.0.70.3804 only; detections scoped to TCP port 85 should be limited to hosts running sut_srv.exe in this version range to reduce false positives.
  • ·The default install directory used in the exploit is 'PROGRA~2/stools'; detections referencing install paths should account for non-default installation directories.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.