cbcvebase.
CVE-2020-24949
published 2020-09-03

CVE-2020-24949: Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform…

PriorityP187high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
67.29%
99.2th percentile
Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).

Affected

1 ranges
VendorProductVersion rangeFixed in
php-fusionphp-fusion

Detection & IOCsextracted from sources · hover to see the quote

path/infusions/downloads/downloads.php?cat_id=${system(ls)}
path/infusions/downloads/downloads.php?cat_id=${{system(base64_decode({})).exit}}
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion Downloads.php Command Injection (CVE-2020-24949)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/"; content:"downloads.php?cat_id=|24 7b|system"; fast_pattern; reference:url,github.com/r90tpass/CVE-2020-24949/blob/main/exp.py; reference:cve,2020-24949; classtype:attempted-admin; sid:2033462; rev:1; metadata:created_at 2021_07_27, cve CVE_2020_24949, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_27, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
bytes
|24 7b|system
  • Look for GET requests to /infusions/downloads/downloads.php where the cat_id parameter contains a ${ or ${{ template injection pattern invoking system(), base64_decode(), or other PHP functions.
  • A successful exploitation response will contain the string 'infusion_db.php' in the HTTP response body — use this as a confirmation matcher.
  • The exploit base64-encodes the reverse-shell payload to avoid '+' and '=' characters in the URL; look for base64_decode() calls inside the cat_id parameter as an evasion indicator.
  • The exploit requires the PHP-Fusion 'Allow PHP Execution' feature to be enabled; verify this setting when triaging alerts.
  • ·Exploitation requires the 'Allow PHP Execution' feature to be enabled in PHP-Fusion configuration; the vulnerability is not exploitable without this setting.
  • ·The exploit payload must not contain '+' or '=' characters (e.g., from base64 padding) in the URL; attackers craft payloads specifically to avoid these characters.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.