CVE-2020-26124
published 2020-10-02CVE-2020-26124: openmediavault before 4.1.36 and 5.x before 5.5.12 allows authenticated PHP code injection attacks, via the sortfield POST parameter of rpc.php, because…
PriorityP178high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
67.17%
99.2th percentile
openmediavault before 4.1.36 and 5.x before 5.5.12 allows authenticated PHP code injection attacks, via the sortfield POST parameter of rpc.php, because json_encode_safe is not used in config/databasebackend.inc. Successful exploitation allows arbitrary command execution on the underlying operating system as root.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openmediavault | openmediavault | < 4.1.36 | 4.1.36 |
| openmediavault | openmediavault | >= 5.0.0 < 5.5.12 | 5.5.12 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to rpc.php for suspicious or PHP-injectable content in the 'sortfield' parameter, which is the attack vector for CVE-2020-26124. ↗
- →Successful exploitation results in arbitrary command execution as root on the underlying OS; look for openmediavault web processes spawning unexpected child processes (e.g., shells) running as root. ↗
- →The exploit requires authentication; correlate suspicious rpc.php POST activity with prior successful login events to identify authenticated attacker sessions. ↗
- ·Vulnerability affects openmediavault versions before 4.1.36 and all 5.x versions before 5.5.12; detections should be scoped to these version ranges. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/160223/OpenMediaVault-rpc.php-Authenticated-PHP-Code-Injection.htmlhttps://github.com/openmediavault/openmediavault/commit/ebb51bbf5a39f4955eab0073bf87f2a31926d85dhttps://www.openmediavault.org/?p=2797http://packetstormsecurity.com/files/160223/OpenMediaVault-rpc.php-Authenticated-PHP-Code-Injection.htmlhttps://github.com/openmediavault/openmediavault/commit/ebb51bbf5a39f4955eab0073bf87f2a31926d85dhttps://www.openmediavault.org/?p=2797
2020-10-02
Published