CVE-2020-21224
published 2021-02-22CVE-2020-21224: A Remote Code Execution vulnerability has been found in Inspur ClusterEngine V4.0. A remote attacker can send a malicious login packet to the control server
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
38.75%
98.4th percentile
A Remote Code Execution vulnerability has been found in Inspur ClusterEngine V4.0. A remote attacker can send a malicious login packet to the control server
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| inspur | clusterengine | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit POST to /login with command injection in the username field using backtick shell execution; Content-Type must be application/x-www-form-urlencoded ↗
- →Exploit POST to /sysShell endpoint with op=doPlease parameter; no authentication required; response contains /etc/passwd content on successful RCE ↗
- →FOFA fingerprint query for identifying vulnerable Inspur ClusterEngine V4.0 instances: title="TSCEV4.0" ↗
- →Successful exploitation is confirmed when the HTTP 200 response body matches the regex root:.*:0:0: (i.e., /etc/passwd content is reflected) ↗
- ·The /sysShell endpoint allows unauthenticated remote command execution by design (not a misconfiguration), making it a permanently exposed attack surface on unpatched systems ↗
- ·Both attack vectors (/login and /sysShell) require no authentication (PR:N), no user interaction (UI:N), and are network-accessible (AV:N), maximizing exposure on internet-facing deployments ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h24g-qx52-8pp4: A Remote Code Execution vulnerability has been found in Inspur ClusterEngine V4
ghsa_unreviewed·2022-05-24
CVE-2020-21224 [CRITICAL] CWE-88 GHSA-h24g-qx52-8pp4: A Remote Code Execution vulnerability has been found in Inspur ClusterEngine V4
A Remote Code Execution vulnerability has been found in Inspur ClusterEngine V4.0. A remote attacker can send a malicious login packet to the control server
VulnCheck
inspur clusterengine Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-21224 [CRITICAL] inspur clusterengine Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
inspur clusterengine Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
A Remote Code Execution vulnerability has been found in Inspur ClusterEngine V4.0. A remote attacker can send a malicious login packet to the control server
Affected: inspur clusterengine
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-february-april-2021/
No detection rules found.
Nuclei
Inspur ClusterEngine 4.0 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2020-21224 [CRITICAL] Inspur ClusterEngine 4.0 - Remote Code Execution
Inspur ClusterEngine 4.0 - Remote Code Execution
Inspur ClusterEngine V4.0 is suscptible to a remote code execution vulnerability. A remote attacker can send a malicious login packet to the control server.
Template:
id: CVE-2020-21224
info:
name: Inspur ClusterEngine 4.0 - Remote Code Execution
author: pikpikcu
severity: critical
description: Inspur ClusterEngine V4.0 is suscptible to a remote code execution vulnerability. A remote attacker can send a malicious login packet to the control server.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Apply the latest security patches or updates provided by Inspur to mitigate this vulnerability.
reference:
- https://github.com/NS-Sp4ce/Inspur/tree/
Nuclei
Inspur Clusterengine V4 SYSshell - Remote Command Execution
nuclei·CVSS 9.8
CVE-2020-21224 [CRITICAL] Inspur Clusterengine V4 SYSshell - Remote Command Execution
Inspur Clusterengine V4 SYSshell - Remote Command Execution
Inspur Clusterengine V4 SYSshell was found and allows remote command execution by design.
Template:
id: inspur-clusterengine-rce
info:
name: Inspur Clusterengine V4 SYSshell - Remote Command Execution
author: ritikchaddha
severity: critical
description: Inspur Clusterengine V4 SYSshell was found and allows remote command execution by design.
reference:
- https://www.inspursystems.com/
- https://github.com/MzzdToT/ClusterEngineV4.0sysShell_rce
- https://nvd.nist.gov/vuln/detail/CVE-2020-21224
- https://github.com/NS-Sp4ce/Inspur/tree/master/ClusterEngineV4.0%20Vul
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-21224
cwe-id: CWE-88
cpe: cpe:2.3:a:inspur:clusterengine:*
Fortinet
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
blogs_fortinet·2022-10-21·CVSS 9.8
CVE-2022-22954 [CRITICAL] Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
FORTIGUARD LABS THREAT RESEARCH
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
By Cara Lin | October 21, 2022
In April, VMware patched a vulnerability CVE-2022-22954. It causes server-side template injection because of the lack of sanitization on parameters “deviceUdid” and “devicetype”. It allows attackers to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager. FortiGuard Labs published Threat Signal Report about it and also developed IPS signature in April.
We observed attacks in the wild since then. Most of the payloads focus on probing a victim’s sensitive data, for example, passwords, hosts file, etc. But in August, there were a few particular payloads, which got our interest. They had th
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of each attack.
## Network Attack Trends February-April 2021: Analysis of the Latest Published Vulnerabilities
From February-April 2021, a total of 4,969 new Common Vulnerabilities and Exposures (CVE) numbers were registered. To better und
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: February-April 2021
Yue Guan
Lei Xu
Vaibhav Singhal
Brock Mammen
Published: July 1, 2021
Trend Reports
Vulnerabilities
Network security trends
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of
Greynoiseio
NoiseLetter April 2024
blogs_greynoiseio
NoiseLetter April 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2021-02-22
Published
Exploited in the wild