cbcvebase.
CVE-2020-3657
published 2020-11-02

CVE-2020-3657: u'Remote code execution can happen by sending a carefully crafted POST query when Device configuration is accessed from a tethered client through webserver due…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
28.34%
97.9th percentile
u'Remote code execution can happen by sending a carefully crafted POST query when Device configuration is accessed from a tethered client through webserver due to lack of array bound check.' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8953, MSM8996AU, QCA6574AU, QCS405, QCS610, QRB5165, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM8250

Affected

1 ranges
VendorProductVersion rangeFixed in
googleandroid

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/qcmap_web_cgi?page=SetMediaDir
url/cgi-bin/qcmap_web_cgi?
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP Stack-Based Buffer Overflow Attempt Inbound (CVE-2020-3657)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?"; fast_pattern; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-3657; classtype:attempted-admin; sid:2031057; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP Command Injection Attempt Inbound (CVE-2020-3657)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?page=SetMediaDir"; fast_pattern; content:"|3b|"; distance:0; isdataat:1,relative; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-3657; classtype:attempted-admin; sid:2031056; rev:1;)
  • Exploit traffic targets the QCMAP web CGI endpoint via HTTP GET requests. Look for GET requests to /cgi-bin/qcmap_web_cgi? with 8 or more '&' delimited parameters, indicative of a stack-based buffer overflow attempt.
  • Command injection attempts against the SetMediaDir page can be detected by the presence of a semicolon byte (0x3b) in the URI following the page parameter, indicating shell metacharacter injection.
  • The vulnerability is triggered via a crafted POST query to the device webserver when accessed from a tethered client. Monitor inbound HTTP POST and GET traffic to QCMAP CGI endpoints on internal/perimeter networks.
  • Both ET rules (sid:2031056 and sid:2031057) are tagged for Perimeter, Internal, and SSLDecrypt deployment, meaning exploit attempts may also occur over TLS — SSL inspection is recommended.
  • ·The ET Snort rule for the buffer overflow (sid:2031057) uses HTTP method GET, but the NVD description states exploitation occurs via a POST query. Ensure detection coverage includes POST requests to the same CGI endpoint.
  • ·The Android Security Bulletin marks this as a Closed-source component (reference A-153344684*), meaning patch availability and applicability must be verified per OEM/vendor for each affected Snapdragon chipset.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.