cbcvebase.
CVE-2020-15920
published 2020-07-24

CVE-2020-15920: There is an OS Command Injection in Mida eFramework through 2.9.0 that allows an attacker to achieve Remote Code Execution (RCE) with administrative (root)…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
98.24%
99.9th percentile
There is an OS Command Injection in Mida eFramework through 2.9.0 that allows an attacker to achieve Remote Code Execution (RCE) with administrative (root) privileges. No authentication is required.

Affected

1 ranges
VendorProductVersion rangeFixed in
midasolutionseframework<= 2.9.0

Detection & IOCsextracted from sources · hover to see the quote

path/PDC/ajaxreq.php
url/PDC/ajaxreq.php?PARAM=127.0.0.1+-c+0%3B+cat+%2Fetc%2Fpasswd&DIAGNOSIS=PING
  • Monitor for unauthenticated POST requests to /PDC/ajaxreq.php with the DIAGNOSIS=PING parameter and shell metacharacters (e.g., semicolons, encoded characters %3B) injected into the PARAM parameter, indicating OS command injection attempts.
  • Alert on HTTP responses to /PDC/ajaxreq.php containing the pattern 'root:.*:0:0:' in the body, which indicates successful /etc/passwd exfiltration via command injection.
  • Detect exploitation via the Google dork 'Server: Mida eFramework' to identify exposed instances; correlate with POST traffic to /PDC/ajaxreq.php.
  • The apache user on vulnerable appliances can execute any command as root without a password via sudo, so monitor for privilege escalation from the apache process to root following web requests to ajaxreq.php.
  • ·No authentication is required to exploit this vulnerability; the vulnerable endpoint /PDC/ajaxreq.php is fully unauthenticated, meaning network-level access alone is sufficient for exploitation.
  • ·The Nuclei template uses a single POST request for detection; the DIAGNOSIS parameter must be set to PING and the PARAM parameter carries the injected payload, so detection rules should account for both parameters being present.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.