cbcvebase.
CVE-2020-4000
published 2020-11-24

CVE-2020-4000: The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3, 3.4.x prior to 3.4.4, and 4.0.x prior to 4.0.1 allows for executing files through directory traversal. An…

PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
43.02%
98.6th percentile
The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3, 3.4.x prior to 3.4.4, and 4.0.x prior to 4.0.1 allows for executing files through directory traversal. An authenticated SD-WAN Orchestrator user is able to traversal directories which may lead to code execution of files.

Affected

17 ranges
VendorProductVersion rangeFixed in
f5big-ip_aam
f5big-ip_advanced_waf
f5big-ip_afm
f5big-ip_analytics
f5big-ip_apm
f5big-ip_asm
f5big-ip_dhd
f5big-ip_dns
f5big-ip_fps
f5big-ip_gtm
f5big-ip_link_controller
f5big-ip_ltm
f5big-ip_pem
f5ssl_orchestrator
vmwaresd-wan_orchestrator
vmwaresd-wan_orchestrator>= 3.4.0 < 3.4.43.4.4
vmwaresd-wan_orchestrator>= 4.0.0 < 4.0.14.0.1

Detection & IOCsextracted from sources · hover to see the quote

urlportal/rest/meta/
bytes
|2e 2e 2f| (URL-encoded ../)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware SD-WAN Orchestrator Path Traversal (CVE-2020-4000)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"portal/rest/meta/"; fast_pattern; content:"?"; content:"|2e 2e 2f|"; reference:cve,2020-4000; classtype:attempted-admin; sid:2035103; rev:2; metadata:created_at 2022_02_04, cve CVE_2020_4000, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_02_04, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
  • Exploit traffic is an authenticated HTTP GET request to the 'portal/rest/meta/' endpoint containing a '?' query parameter followed by a path traversal sequence (|2e 2e 2f| = '../'). Monitor inbound HTTP GET requests to SD-WAN Orchestrator for this URI pattern.
  • Exploitation requires an authenticated session — correlate path traversal attempts with prior successful logins to the SD-WAN Orchestrator portal to identify compromised accounts.
  • MITRE mapping is TA0007 (Discovery) / T1083 (File and Directory Discovery), suggesting attackers use this traversal to enumerate the filesystem before executing files.
  • ·Vulnerable versions are SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3, 3.4.x prior to 3.4.4, and 4.0.x prior to 4.0.1. Ensure detection rules are scoped to hosts running these versions.
  • ·The Snort/Suricata rule (SID 2035103) is recommended for both Perimeter and Internal deployment zones, reflecting that exploitation can originate from external attackers or malicious insiders with valid credentials.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_oracle9.8CRITICAL
vendor_cisco6.4MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.