cbcvebase.
CVE-2020-17505
published 2020-08-12

CVE-2020-17505: Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are…

PriorityP188high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
82.16%
99.6th percentile
Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.

Affected

1 ranges
VendorProductVersion rangeFixed in
articatechweb_proxy

Detection & IOCsextracted from sources · hover to see the quote

path/fw.login.php
path/cyrus.index.php
path/cyrus.php
commandGET /fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;
commandGET /cyrus.index.php?service-cmds-peform=%7C%7Cwhoami%7C%7C
  • Detect auth bypass attempt: HTTP GET to /fw.login.php with 'apikey' parameter containing a UNION SELECT SQL injection payload and a base64-encoded session cookie value.
  • Detect command injection attempt: HTTP GET to /cyrus.index.php with 'service-cmds-peform' parameter containing pipe-delimited OS commands (e.g., ||whoami||).
  • Response body indicators of successful exploitation include the strings 'array(2)', 'Position: ||whoami||', and 'root' all present simultaneously.
  • The injected commands in the 'service-cmds' / 'service-cmds-peform' parameter are executed with root privileges via the internal function service_cmds_peform.
  • ·The auth bypass (Step 1) uses a SQL UNION injection in the 'apikey' parameter of /fw.login.php to set a crafted session cookie, allowing unauthenticated access to the command injection endpoint. Both steps must be chained for unauthenticated RCE.
  • ·The vulnerability affects Artica Web Proxy version 4.30.000000 specifically, running as a virtual appliance where the web process has root privileges.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.