cbcvebase.
CVE-2020-4211
published 2020-02-24

CVE-2020-4211: IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command…

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
71.09%
99.3th percentile
IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. IBM X-Force ID: 175022.

Affected

6 ranges
VendorProductVersion rangeFixed in
ibmspectrum_protect
ibmspectrum_protect>= 10.1.0 < 10.1.510.1.5
ibmspectrum_protect_plus
ibmspectrum_protect_plus
ibmspectrum_protect_plus10.1.0 – 10.1.5
msrcmicrosoft_excel_2010_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

url/emi/api/hostname
port8090
cookiex-ac-sessionid: abcd
commandcurl -ki --tlsv1.2 -H 'x-ac-sessionid: abcd' -d "hostname=';id >/tmp/cmd_injection;echo '" 'https:// :8090/emi/api/hostname'
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT IBM Spectrum Protect Plus - Command Injection Attempt Inbound (CVE-2020-4211)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/hostname"; fast_pattern; http.request_body; content:"hostname="; pcre:"/^[^&]*?\x3b/R"; reference:cve,2020-4211; classtype:web-application-attack; sid:2061823; rev:2; metadata:attack_target Server, created_at 2025_04_23, cve CVE_2020_4211, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect POST requests to /emi/api/hostname containing 'hostname=' in the body with a semicolon (0x3b) in the parameter value — the semicolon is the command injection delimiter that bypasses single-quote escaping in the incomplete fix.
  • The exploit uses a static, arbitrary fake session header 'x-ac-sessionid: abcd' — the endpoint does not authenticate, so any value works. Alerting on POST requests to /emi/api/hostname regardless of session token validity is appropriate.
  • The injection payload pattern is hostname=';[command]; — look for a single-quote followed by a semicolon in the hostname POST body parameter to identify exploitation attempts.
  • Monitor for creation of unexpected files under /tmp/ on SPP appliances (e.g., /tmp/cmd_injection, /tmp/hacked) as post-exploitation indicators of successful command injection.
  • The SPP administrative console listens on TCP port 8090; scope network detection rules to this port for the /emi/api/* endpoint family.
  • ·CVE-2020-4211 was only partially fixed in IBM SPP 10.1.5-2181; the patch added single-quoting of the hostname parameter but did not fully prevent injection. CVE-2020-4469 is the bypass of that incomplete fix and affects 10.1.0 through 10.1.5.
  • ·The /emi/api/hostname endpoint requires no authentication — the x-ac-sessionid header value is not validated, meaning any value (including 'abcd') is accepted. Detection rules should not rely on session token anomalies.
  • ·The Snort/Suricata rule (sid:2061823) targets the CVE-2020-4211 injection pattern (semicolon in hostname body parameter via POST to /hostname). Ensure $HOME_NET and $HTTP_SERVERS variables include the SPP appliance IP and port 8090 for the rule to fire correctly.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_msrc7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.