CVE-2020-37123
published 2026-02-05CVE-2020-37123: Pinger 1.0 contains a remote code execution vulnerability that allows attackers to inject shell commands through the ping and socket parameters. Attackers can…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.14%
86.3th percentile
Pinger 1.0 contains a remote code execution vulnerability that allows attackers to inject shell commands through the ping and socket parameters. Attackers can exploit the unsanitized input in ping.php to write arbitrary PHP files and execute system commands by appending shell metacharacters.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wcchandler | pinger | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Send a POST request to /ping.php with a 'ping' parameter containing a semicolon-delimited shell command (e.g., 127.0.0.1;<cmd>) and check the response body for command output to confirm RCE. ↗
- →Probe the target root URL for the presence of the string 'ping.php' in the response body as a prerequisite indicator that the vulnerable Pinger 1.0 application is present. ↗
- →Monitor HTTP POST requests to /ping.php with Content-Type: application/x-www-form-urlencoded where the 'ping' or 'socket' parameter values contain shell metacharacters (e.g., ';', '|', '`'). ↗
- ·Exploitation requires two sequential HTTP steps: first a GET to the base URL to confirm 'ping.php' is present, then a POST to /ping.php with the injected payload. Single-step detection may miss the prerequisite check. ↗
- ·Both the 'ping' and 'socket' parameters are vulnerable to shell command injection; detection rules should cover both parameters, not just 'ping'. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mxm5-68jf-rh35: Pinger 1
ghsa_unreviewed·2026-02-05
CVE-2020-37123 [CRITICAL] CWE-78 GHSA-mxm5-68jf-rh35: Pinger 1
Pinger 1.0 contains a remote code execution vulnerability that allows attackers to inject shell commands through the ping and socket parameters. Attackers can exploit the unsanitized input in ping.php to write arbitrary PHP files and execute system commands by appending shell metacharacters.
VulnCheck
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 9.3
CVE-2020-37123 [CRITICAL] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Pinger 1.0 contains a remote code execution vulnerability that allows attackers to inject shell commands through the ping and socket parameters. Attackers can exploit the unsanitized input in ping.php to write arbitrary PHP files and execute system commands by appending shell metacharacters.
Affected: wcchandler Pinger
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://tracker.crowdsec.net/cves/CVE-2020-37123
No detection rules found.
Nuclei
Pinger 1.0 - Remote Code Execution
nuclei·CVSS 9.3
CVE-2020-37123 [CRITICAL] Pinger 1.0 - Remote Code Execution
Pinger 1.0 - Remote Code Execution
Pinger 1.0 contains a remote code execution vulnerability that allows attackers to inject shell commands through the ping and socket parameters. Attackers can exploit the unsanitized input in ping.php to write arbitrary PHP files and execute system commands by appending shell metacharacters.
Template:
id: CVE-2020-37123
info:
name: Pinger 1.0 - Remote Code Execution
author: bswearingen
severity: critical
description: |
Pinger 1.0 contains a remote code execution vulnerability that allows attackers to inject shell commands through the ping and socket parameters. Attackers can exploit the unsanitized input in ping.php to write arbitrary PHP files and execute system commands by appending shell metacharacters.
impact: |
An unauthenticated attacker can exe
No writeups or analysis indexed.
2026-02-05
Published
Exploited in the wild