cbcvebase.
CVE-2020-25540
published 2020-09-14

CVE-2020-25540: ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode…

PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
75.88%
99.5th percentile
ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
thinkadminthinkadmin

Detection & IOCsextracted from sources · hover to see the quote

url/admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b2t382r1b342p37373b2s
url/admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b1a1a1b2r33322u2x2v1b2s2p382p2q2p372t0y342w34
path/admin.html
  • Detect exploitation attempts by matching GET requests to /admin.html with the path parameter 's=admin/api.Update/get/encode/' followed by an encoded traversal payload.
  • A successful exploitation response will contain the string matching 'root:.*:0:0:' in the HTTP 200 response body, indicating /etc/passwd file read on Linux targets.
  • The vulnerable endpoint is the ThinkAdmin API update handler; monitor for unauthenticated GET requests to 'admin/api.Update/get/encode/' with encoded path traversal strings.
  • ·The exploit payloads are version-specific; the vulnerability affects ThinkAdmin v6 up to and including version 2020.08.03.01 only.
  • ·Separate encoded payloads exist for Windows (targeting database.php) and Linux (targeting /etc/passwd); detection rules should account for both payload variants.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.