cbcvebase.
CVE-2020-26124
published 2020-10-02

CVE-2020-26124: openmediavault before 4.1.36 and 5.x before 5.5.12 allows authenticated PHP code injection attacks, via the sortfield POST parameter of rpc.php, because…

PriorityP178high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
67.17%
99.2th percentile
openmediavault before 4.1.36 and 5.x before 5.5.12 allows authenticated PHP code injection attacks, via the sortfield POST parameter of rpc.php, because json_encode_safe is not used in config/databasebackend.inc. Successful exploitation allows arbitrary command execution on the underlying operating system as root.

Affected

2 ranges
VendorProductVersion rangeFixed in
openmediavaultopenmediavault< 4.1.364.1.36
openmediavaultopenmediavault>= 5.0.0 < 5.5.125.5.12

Detection & IOCsextracted from sources · hover to see the quote

path/rpc.php
pathconfig/databasebackend.inc
  • Monitor POST requests to rpc.php for suspicious or PHP-injectable content in the 'sortfield' parameter, which is the attack vector for CVE-2020-26124.
  • Successful exploitation results in arbitrary command execution as root on the underlying OS; look for openmediavault web processes spawning unexpected child processes (e.g., shells) running as root.
  • The exploit requires authentication; correlate suspicious rpc.php POST activity with prior successful login events to identify authenticated attacker sessions.
  • ·Vulnerability affects openmediavault versions before 4.1.36 and all 5.x versions before 5.5.12; detections should be scoped to these version ranges.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.