cbcvebase.
CVE-2020-29238
published 2021-03-10

CVE-2020-29238: An integer buffer overflow in the Nginx webserver of ExpressVPN Router version 1 allows remote attackers to obtain sensitive information when the server…

PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
16.65%
96.6th percentile
An integer buffer overflow in the Nginx webserver of ExpressVPN Router version 1 allows remote attackers to obtain sensitive information when the server running as reverse proxy via specially crafted request.

Affected

1 ranges
VendorProductVersion rangeFixed in
expressvpnexpressvpn

Detection & IOCsextracted from sources · hover to see the quote

commandGET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Host: 127.0.0.1:8181 Accept-Encoding: identity Range: bytes=-17208,-9223372036854758999 Connection: close
port8181
versionnginx/1.9.15
  • Detect exploitation attempts by inspecting HTTP Range headers containing two negative byte ranges, particularly where the second value is a large negative integer consistent with integer overflow (e.g., -9223372036854758999), targeting the Nginx range filter module.
  • A successful exploit response will return HTTP 206 Partial Content with a multipart/byteranges body and a negative Content-Range value, indicating memory leak via integer overflow in Nginx range filter.
  • Monitor for HTTP 206 responses from Nginx servers where the Content-Range header contains a negative start byte, which is a strong indicator of successful CVE-2020-29238 exploitation.
  • The vulnerable service runs on Nginx version 1.9.15; identify exposed instances of this specific version on port 8181 as high-priority targets for patching and monitoring.
  • ·The vulnerability is only exploitable if the router control panel is exposed to the Internet; it is normally restricted to the local network. Exposure to the Internet significantly increases risk.
  • ·Only ExpressVPN Router version 1.x firmware is affected. Devices upgraded to the latest firmware version are not vulnerable.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.