CVE-2020-29390
published 2020-11-30CVE-2020-29390: Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi-bin/kerbynet StartSessionSubmit parameter that could allow an unauthenticated attacker…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
36.67%
98.3th percentile
Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi-bin/kerbynet StartSessionSubmit parameter that could allow an unauthenticated attacker to execute a system command by using shell metacharacters and the %0a character.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zeroshell | zeroshell | — | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
rule CVE_2020_29390_Zeroshell_CmdInjection { strings: $req = "/cgi-bin/kerbynet" $param = "StartSessionSubmit" $metachar = "%0a" condition: $req and $param and $metachar }sigma↗
title: CVE-2020-29390 Zeroshell Command Injection
logsource:
category: webserver
detection:
selection:
cs-uri-stem|contains: '/cgi-bin/kerbynet'
cs-uri-query|contains:
- 'StartSessionSubmit'
- '%0a'
condition: selection- →Look for HTTP GET requests to /cgi-bin/kerbynet with Action=StartSessionSubmit and shell metacharacters (e.g., %27, %26, %0a) in the User parameter — unauthenticated exploitation requires no session cookie. ↗
- →Response body containing 'root:.*:0:0:' (passwd file content) alongside 'Start Session' text is a strong indicator of successful exploitation. ↗
- →Use Shodan query 'http.title:"zeroshell"', FOFA query 'title="zeroshell"', or Google dork 'intitle:"zeroshell"' to identify exposed Zeroshell instances for proactive asset discovery. ↗
- →The %0a (newline) character is used as a shell metacharacter to inject additional OS commands into the StartSessionSubmit parameter; alert on URL-encoded newlines in CGI query strings. ↗
- ·Vulnerability is specific to Zeroshell version 3.9.3; detections should be scoped to this CPE to avoid false positives on other versions. ↗
- ·Exploitation requires no authentication (PR:N, UI:N), meaning any network-accessible Zeroshell 3.9.3 instance is at risk without any prior credential compromise. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wfh6-xhqh-h5xw: Zeroshell 3
ghsa_unreviewed·2022-05-24
CVE-2020-29390 [CRITICAL] CWE-78 GHSA-wfh6-xhqh-h5xw: Zeroshell 3
Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi-bin/kerbynet StartSessionSubmit parameter that could allow an unauthenticated attacker to execute a system command by using shell metacharacters and the %0a character.
VulnCheck
zeroshell zeroshell Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-29390 [CRITICAL] zeroshell zeroshell Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
zeroshell zeroshell Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi-bin/kerbynet StartSessionSubmit parameter that could allow an unauthenticated attacker to execute a system command by using shell metacharacters and the %0a character.
Affected: zeroshell zeroshell
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2020-29390
No detection rules found.
Nuclei
Zeroshell 3.9.3 - Command Injection
nuclei·CVSS 9.8
CVE-2020-29390 [CRITICAL] Zeroshell 3.9.3 - Command Injection
Zeroshell 3.9.3 - Command Injection
Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi-bin/kerbynet StartSessionSubmit parameter that could allow an unauthenticated attacker to execute a system command by using shell metacharacters and the %0a character.
Template:
id: CVE-2020-29390
info:
name: Zeroshell 3.9.3 - Command Injection
author: DhiyaneshDk
severity: critical
description: |
Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi-bin/kerbynet StartSessionSubmit parameter that could allow an unauthenticated attacker to execute a system command by using shell metacharacters and the %0a character.
impact: |
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
remediation: |
Upgr
2020-11-30
Published
Exploited in the wild