cbcvebase.
CVE-2020-35131
published 2021-01-08

CVE-2020-35131: Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
49.94%
98.8th percentile
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
agentejocockpit< 0.6.10.6.1

Detection & IOCsextracted from sources · hover to see the quote

url/auth/check
url/auth/requestreset
pathlib/MongoLite/Database.php
command{"auth":{"user":"{{rand_user}}'.phpinfo().'"}}
command{"user":"{{rand_user}}'.phpinfo().'"}}
  • Detect exploitation attempts by monitoring POST requests to /auth/check or /auth/requestreset containing PHP injection patterns (e.g., single-quote-delimited PHP function calls) in the JSON body.
  • A successful exploit response will contain both 'cockpit' and 'PHP Extension' strings in the HTTP response body (phpinfo() output), indicating RCE was achieved.
  • Requests will use Content-Type: application/json; charset=UTF-8 targeting the unauthenticated /auth/check and /auth/requestreset endpoints — no authentication required.
  • Shodan/FOFA fingerprinting: identify exposed Cockpit CMS instances via http.html:"cockpit" (Shodan) or app="Cockpit" (FOFA) for proactive asset discovery.
  • Note: This CVE affects Cockpit CMS (getcockpit.com), NOT the Red Hat Cockpit Project (cockpit-project.org). Ensure detections are scoped to the correct product.
  • ·The vulnerability exists in versions of Cockpit CMS strictly before 0.6.1; version 0.6.1 and later are patched.
  • ·The injection point is the registerCriteriaFunction method in lib/MongoLite/Database.php; patching or monitoring changes to this file is relevant for defenders.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.