cbcvebase.
CVE-2020-5776
published 2020-09-01

CVE-2020-5776: Currently, all versions of MAGMI are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is…

PriorityP277high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
14.72%
96.2th percentile
Currently, all versions of MAGMI are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.

Affected

1 ranges
VendorProductVersion rangeFixed in
dweevesmagmi0 – 0.7.24

Detection & IOCsextracted from sources · hover to see the quote

path/magmi/web/magmi_saveprofile.php
path/magmi/web/magmi_run.php
path/magmi/web/info.php
commandecho "<?php phpinfo();" > /var/www/html/magmi/web/info.php; php
path/var/www/html/magmi/web/info.php
othermagmi:magmi
  • Detect exploit attempts by monitoring POST requests to /magmi/web/magmi_saveprofile.php containing the REINDEX:phpcli parameter, which is used to inject arbitrary PHP commands via the phpcli RCE vector.
  • Monitor for POST requests to /magmi/web/magmi_run.php with parameters engine=magmi_productimportengine and run=import immediately following a saveprofile request, indicating a two-stage exploit chain.
  • Alert on GET requests to /magmi/web/info.php returning HTTP 200 with body containing both 'PHP Extension' and 'PHP Version', which confirms successful webshell/phpinfo drop via the exploit.
  • Use Shodan queries http.component:"Magento" or http.component:"magento" to identify internet-exposed Magento instances that may have MAGMI installed and be vulnerable.
  • For CVE-2020-5777 (companion vuln): monitor for HTTP Basic Auth attempts using credentials magmi:magmi against MAGMI endpoints, especially during periods of elevated MySQL connection load (DB-DoS condition).
  • ·The DB-DoS condition enabling CVE-2020-5777 only succeeds when MySQL max_connections is greater than Apache MaxRequestWorkers. Default MySQL max_connections is 151; Apache 2.4.10+ defaults to 250 or 400, making the attack feasible. Older Apache defaults (150) are smaller than MySQL defaults, preventing the attack.
  • ·CVE-2020-5776 (CSRF/RCE) remained unpatched as of the blog publication date; CVE-2020-5777 (auth bypass) was patched in MAGMI version 0.7.24 on August 30, 2020. The Magento 2 fork of MAGMI is also vulnerable and had no patch at time of publication.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.