CVE-2020-4211
published 2020-02-24CVE-2020-4211: IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command…
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
71.09%
99.3th percentile
IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. IBM X-Force ID: 175022.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | spectrum_protect | — | — |
| ibm | spectrum_protect | >= 10.1.0 < 10.1.5 | 10.1.5 |
| ibm | spectrum_protect_plus | — | — |
| ibm | spectrum_protect_plus | — | — |
| ibm | spectrum_protect_plus | 10.1.0 – 10.1.5 | — |
| msrc | microsoft_excel_2010_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandcurl -ki --tlsv1.2 -H 'x-ac-sessionid: abcd' -d "hostname=';id >/tmp/cmd_injection;echo '" 'https:// :8090/emi/api/hostname'↗
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT IBM Spectrum Protect Plus - Command Injection Attempt Inbound (CVE-2020-4211)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/hostname"; fast_pattern; http.request_body; content:"hostname="; pcre:"/^[^&]*?\x3b/R"; reference:cve,2020-4211; classtype:web-application-attack; sid:2061823; rev:2; metadata:attack_target Server, created_at 2025_04_23, cve CVE_2020_4211, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect POST requests to /emi/api/hostname containing 'hostname=' in the body with a semicolon (0x3b) in the parameter value — the semicolon is the command injection delimiter that bypasses single-quote escaping in the incomplete fix.
- →The exploit uses a static, arbitrary fake session header 'x-ac-sessionid: abcd' — the endpoint does not authenticate, so any value works. Alerting on POST requests to /emi/api/hostname regardless of session token validity is appropriate. ↗
- →The injection payload pattern is hostname=';[command]; — look for a single-quote followed by a semicolon in the hostname POST body parameter to identify exploitation attempts. ↗
- →Monitor for creation of unexpected files under /tmp/ on SPP appliances (e.g., /tmp/cmd_injection, /tmp/hacked) as post-exploitation indicators of successful command injection. ↗
- →The SPP administrative console listens on TCP port 8090; scope network detection rules to this port for the /emi/api/* endpoint family. ↗
- ·CVE-2020-4211 was only partially fixed in IBM SPP 10.1.5-2181; the patch added single-quoting of the hostname parameter but did not fully prevent injection. CVE-2020-4469 is the bypass of that incomplete fix and affects 10.1.0 through 10.1.5. ↗
- ·The /emi/api/hostname endpoint requires no authentication — the x-ac-sessionid header value is not validated, meaning any value (including 'abcd') is accepted. Detection rules should not rely on session token anomalies. ↗
- ·The Snort/Suricata rule (sid:2061823) targets the CVE-2020-4211 injection pattern (semicolon in hostname body parameter via POST to /hostname). Ensure $HOME_NET and $HTTP_SERVERS variables include the SPP appliance IP and port 8090 for the rule to fire correctly.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_msrc7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6w3r-59v2-xcqg: IBM Spectrum Protect Plus 10
ghsa_unreviewed·2022-05-24
CVE-2020-4211 [HIGH] CWE-74 GHSA-6w3r-59v2-xcqg: IBM Spectrum Protect Plus 10
IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. IBM X-Force ID: 175022.
GHSA
GHSA-5pwc-mh67-m6xf: IBM Spectrum Protect Plus 10
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2020-4469 [CRITICAL] GHSA-5pwc-mh67-m6xf: IBM Spectrum Protect Plus 10
IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. This vulnerability is due to an incomplete fix for CVE-2020-4211. IBM X-Force ID: 181724.
Microsoft
Microsoft Excel Remote Code Execution Vulnerability
vendor_msrc·2020-12-08·CVSS 7.8
CVE-2020-17127 [HIGH] Microsoft Excel Remote Code Execution Vulnerability
Microsoft Excel Remote Code Execution Vulnerability
FAQ: Is the Preview Pane an attack vector for this vulnerability?
No, the Preview Pane is not an attack vector.
Microsoft Office: Microsoft Office
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely
Reference: https://www.microsoft.com/download/details.aspx?familyid=f8adf8be-1608-41cf-8fbd-fc6f2bc2b84b
Reference: https://support.microsoft.com/kb/4493148
Reference: https://www.microsoft.com/download/details.aspx?familyid=4540f5bf-a3dc-4211-b276-527c12b6b285
Suricata
ET EXPLOIT IBM Spectrum Protect Plus - Command Injection Attempt Inbound (CVE-2020-4211)
suricata·2025-04-23·CVSS 9.8
CVE-2020-4211 [CRITICAL] ET EXPLOIT IBM Spectrum Protect Plus - Command Injection Attempt Inbound (CVE-2020-4211)
ET EXPLOIT IBM Spectrum Protect Plus - Command Injection Attempt Inbound (CVE-2020-4211)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT IBM Spectrum Protect Plus - Command Injection Attempt Inbound (CVE-2020-4211)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/hostname"; fast_pattern; http.request_body; content:"hostname="; pcre:"/^[^&]*?\x3b/R"; reference:cve,2020-4211; classtype:web-application-attack; sid:2061823; rev:2; metadata:attack_target Server, created_at 2025_04_23, cve CVE_2020_4211, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Pub
No public exploits indexed.
https://exchange.xforce.ibmcloud.com/vulnerabilities/175022https://www.ibm.com/support/pages/node/3178863https://www.zerodayinitiative.com/advisories/ZDI-20-273/https://exchange.xforce.ibmcloud.com/vulnerabilities/175022https://www.ibm.com/support/pages/node/3178863https://www.zerodayinitiative.com/advisories/ZDI-20-273/
2020-02-24
Published