cbcvebase.
CVE-2020-28337
published 2021-02-15

CVE-2020-28337: A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the…

PriorityP261high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
16.61%
96.6th percentile
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.

Affected

2 ranges
VendorProductVersion rangeFixed in
microwebermicroweber<= 1.1.20
microwebermicroweber>= 0 < 1.2.31.2.3

Detection & IOCsextracted from sources · hover to see the quote

url/api/user_login
url/plupload
url/api/Microweber/Utils/Backup/move_uploaded_file_to_backup
url/api/Microweber/Utils/Backup/restore
path/userfiles/cache/
filenamepayload.php
filenamepayload.zip
command<?php echo "<pre>" . shell_exec($_REQUEST["fexec"]) . "</pre>"; ?>
path../../../..{path}{filename}
  • Monitor POST requests to /api/user_login followed shortly by requests to /plupload and /api/Microweber/Utils/Backup/move_uploaded_file_to_backup — this sequence is the exploit chain for CVE-2020-28337.
  • Alert on ZIP archive uploads containing path traversal sequences (../../) delivered to /plupload, as the exploit embeds '../../../../' prefixed paths inside the ZIP to escape the webroot.
  • Detect POST requests to /api/Microweber/Utils/Backup/restore with an 'id' parameter matching a ZIP filename — this triggers unsafe extraction of the traversal payload.
  • Detect HTTP requests to the dropped webshell that include the 'fexec' parameter, which is used to pass OS commands to shell_exec() in the default payload.
  • Use the debug endpoint (GET /?debug=true) access pattern to identify attacker reconnaissance — the exploit uses it to resolve the absolute webroot path via DefaultController.php.
  • The exploit moves the uploaded ZIP from /userfiles/media/{hostname}/ to the backup directory; monitor file move operations from that media path into backup directories.
  • ·SSL verification is disabled in the exploit by default; detections based on TLS inspection may not apply if the target is HTTP-only, but the exploit will work against HTTPS targets without certificate validation.
  • ·The exploit requires authenticated access with administrative credentials; detections should account for the fact that the attacker will have a valid session cookie before triggering the traversal.
  • ·The ZIP traversal depth is hardcoded to four levels (../../../../) based on the backup extraction path /storage/cache/backup_restore/; environments with different installation paths may require a different traversal depth.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.