cbcvebase.
CVE-2020-17506
published 2020-08-12

CVE-2020-17506: Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
93.97%
99.8th percentile
Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
articatechweb_proxy

Detection & IOCsextracted from sources · hover to see the quote

path/fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;
path/cyrus.index.php?service-cmds-peform=||{}||
  • Detect CVE-2020-17506 exploitation attempts by matching GET requests to /fw.login.php containing the SQL injection payload with UNION select and the base64-encoded serialized session string in the apikey parameter.
  • After auth bypass, the attacker issues a POST to /cyrus.index.php with the service-cmds-peform parameter containing pipe-delimited OS commands (e.g., ||<cmd>||). Monitor for this pattern as the command injection stage.
  • Successful auth bypass results in a Set-Cookie header containing PHPSESSID and a response body containing the string 'artica-applianc'. Use both as confirmation matchers.
  • The exploit chain combines two stages: (1) unauthenticated SQL injection via apikey in fw.login.php to obtain a privileged session, then (2) authenticated OS command injection via service-cmds-peform in cyrus.index.php, resulting in RCE as root.
  • ·The vulnerability is version-specific; only Artica Web Proxy 4.30.00000000 is confirmed affected. Detection rules should be scoped accordingly to reduce false positives against other versions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.