cbcvebase.
CVE-2020-24217
published 2020-10-06

CVE-2020-24217: An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. The file-upload endpoint does not enforce authentication…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
38.96%
98.4th percentile
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. The file-upload endpoint does not enforce authentication. Attackers can send an unauthenticated HTTP request to upload a custom firmware component, possibly in conjunction with command injection, to achieve arbitrary code execution.

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<host>/
commandcurl -sF "upgrade=;filename=\"logo;$2;.png\"" http://$1
commandcurl -s -F '[email protected]' http://$1
  • Detect unauthenticated HTTP POST requests to the firmware/logo upload endpoint containing the 'upgrade' multipart form field — no authentication headers required by the vulnerable device.
  • Detect multipart form-data POST requests where the 'upgrade' field filename contains semicolons, indicating command injection attempt (e.g., filename pattern: logo;<cmd>;.png).
  • Detect upload of RAR archive files (magic bytes or Content-Type) to the firmware upgrade endpoint on HiSilicon-based IPTV/H.264/H.265 encoders, as malicious firmware can be delivered as a RAR file.
  • Flag HTTP requests to HiSilicon encoder web interfaces that use multipart/form-data with field name 'upgrade' without any session cookie or Authorization header present.
  • ·The exploit targets multiple vendor OEM devices all based on the same HiSilicon chipset; the vulnerable upload endpoint path is not explicitly specified in the sources, requiring fingerprinting of the target device's web interface to confirm the exact endpoint.
  • ·The firmware version is described as vendor-specific; there is no single universal version string to match — detection must rely on behavioral indicators (unauthenticated upload) rather than version matching alone.
  • ·Command injection is embedded inside the filename parameter of the multipart upload, possibly in conjunction with firmware upload; both attack vectors must be monitored independently.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.