cbcvebase.
CVE-2020-24365
published 2020-09-24

CVE-2020-24365: An issue was discovered on Gemtek WRTM-127ACN 01.01.02.141 and WRTM-127x9 01.01.02.127 devices. The Monitor Diagnostic network page allows an authenticated…

PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.41%
95.5th percentile
An issue was discovered on Gemtek WRTM-127ACN 01.01.02.141 and WRTM-127x9 01.01.02.127 devices. The Monitor Diagnostic network page allows an authenticated attacker to execute a command directly on the target machine. Commands are executed as the root user (uid 0). (Even if a login is required, most routers are left with default credentials.)

Affected

2 ranges
VendorProductVersion rangeFixed in
gemtekswrtm-127acn_firmware
gemtekswrtm-127x9_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<target>/cgi-bin/sysconf.cgi?page=login.asp&action=login
urlhttp://<target>/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_monitor_diagnostic&mon_diag_type=0&mon_diag_addr=$(<command>;)&mon_ping_num=1&mon_ping_size=4&mon_ping_timeout=1&mon_tracert_hops=&mon_diag_protocol_type=4
cookiesid
path/tmp/mon_diag.log
path/cgi-bin/sysconf.cgi
commandsh -c (ping -4 -c 1 -s 4 -W 1 "INJECTION" > /tmp/mon_diag.log 2>&1; cmscfg -s -n mon_diag_status -v 0)&
  • Monitor HTTP GET requests to /cgi-bin/sysconf.cgi with query parameters action=save_monitor_diagnostic and mon_diag_addr containing shell metacharacters such as $( or ; — this is the injection point for CVE-2020-24365.
  • Alert on HTTP POST to /cgi-bin/sysconf.cgi?page=login.asp&action=login with default credentials (user_name=admin, user_passwd=admin), followed immediately by exploitation requests to the diagnostic endpoint — indicative of automated exploit tool usage.
  • Detect the presence of the session cookie 'sid' being set as a custom HTTP request header (rather than a standard Cookie header), which is the session-handling pattern used by the exploit.
  • Commands injected via mon_diag_addr are executed as root (uid 0); monitor for unexpected child processes spawned from the CGI handler, especially ping or wget processes with unusual arguments or destinations.
  • Watch for creation or modification of /tmp/mon_diag.log on Gemtek WRTM-127ACN / WRTM-127x9 devices, which is the output file written by the injected command pipeline.
  • Detect wget invocations writing to /tmp/<filename> on the device, which is the file-download capability built into the exploit for staging additional payloads.
  • ·The exploit requires authentication, but the researcher notes that most routers are left with default credentials (admin/admin), making pre-auth effectively trivial in practice.
  • ·The vulnerability affects two distinct firmware versions; detection rules and patching must cover both 01.01.02.141 (WRTM-127ACN) and 01.01.02.127 (WRTM-127x9).
  • ·The exploit author notes that some injected commands can get stuck, requiring a second identical request to stop them; this double-request pattern (same payload sent twice) can be used as a behavioral detection signal.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.