cbcvebase.
CVE-2020-29390
published 2020-11-30

CVE-2020-29390: Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi-bin/kerbynet StartSessionSubmit parameter that could allow an unauthenticated attacker…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
36.67%
98.3th percentile
Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi-bin/kerbynet StartSessionSubmit parameter that could allow an unauthenticated attacker to execute a system command by using shell metacharacters and the %0a character.

Affected

1 ranges
VendorProductVersion rangeFixed in
zeroshellzeroshell

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/kerbynet?Action=StartSessionSubmit&User=%27%26cat%20/etc/passwd%26%27&PW=
path/cgi-bin/kerbynet
yara
rule CVE_2020_29390_Zeroshell_CmdInjection { strings: $req = "/cgi-bin/kerbynet" $param = "StartSessionSubmit" $metachar = "%0a" condition: $req and $param and $metachar }
sigma
title: CVE-2020-29390 Zeroshell Command Injection
logsource:
  category: webserver
detection:
  selection:
    cs-uri-stem|contains: '/cgi-bin/kerbynet'
    cs-uri-query|contains:
      - 'StartSessionSubmit'
      - '%0a'
  condition: selection
  • Look for HTTP GET requests to /cgi-bin/kerbynet with Action=StartSessionSubmit and shell metacharacters (e.g., %27, %26, %0a) in the User parameter — unauthenticated exploitation requires no session cookie.
  • Response body containing 'root:.*:0:0:' (passwd file content) alongside 'Start Session' text is a strong indicator of successful exploitation.
  • Use Shodan query 'http.title:"zeroshell"', FOFA query 'title="zeroshell"', or Google dork 'intitle:"zeroshell"' to identify exposed Zeroshell instances for proactive asset discovery.
  • The %0a (newline) character is used as a shell metacharacter to inject additional OS commands into the StartSessionSubmit parameter; alert on URL-encoded newlines in CGI query strings.
  • ·Vulnerability is specific to Zeroshell version 3.9.3; detections should be scoped to this CPE to avoid false positives on other versions.
  • ·Exploitation requires no authentication (PR:N, UI:N), meaning any network-accessible Zeroshell 3.9.3 instance is at risk without any prior credential compromise.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.