CVE-2020-5776
published 2020-09-01CVE-2020-5776: Currently, all versions of MAGMI are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is…
PriorityP277high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
14.72%
96.2th percentile
Currently, all versions of MAGMI are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dweeves | magmi | 0 – 0.7.24 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/magmi/web/magmi_saveprofile.php
path/magmi/web/magmi_run.php
path/magmi/web/info.php
commandecho "<?php phpinfo();" > /var/www/html/magmi/web/info.php; php
path/var/www/html/magmi/web/info.php
- →Detect exploit attempts by monitoring POST requests to /magmi/web/magmi_saveprofile.php containing the REINDEX:phpcli parameter, which is used to inject arbitrary PHP commands via the phpcli RCE vector. ↗
- →Monitor for POST requests to /magmi/web/magmi_run.php with parameters engine=magmi_productimportengine and run=import immediately following a saveprofile request, indicating a two-stage exploit chain.
- →Alert on GET requests to /magmi/web/info.php returning HTTP 200 with body containing both 'PHP Extension' and 'PHP Version', which confirms successful webshell/phpinfo drop via the exploit.
- →Use Shodan queries http.component:"Magento" or http.component:"magento" to identify internet-exposed Magento instances that may have MAGMI installed and be vulnerable.
- →For CVE-2020-5777 (companion vuln): monitor for HTTP Basic Auth attempts using credentials magmi:magmi against MAGMI endpoints, especially during periods of elevated MySQL connection load (DB-DoS condition). ↗
- ·The DB-DoS condition enabling CVE-2020-5777 only succeeds when MySQL max_connections is greater than Apache MaxRequestWorkers. Default MySQL max_connections is 151; Apache 2.4.10+ defaults to 250 or 400, making the attack feasible. Older Apache defaults (150) are smaller than MySQL defaults, preventing the attack. ↗
- ·CVE-2020-5776 (CSRF/RCE) remained unpatched as of the blog publication date; CVE-2020-5777 (auth bypass) was patched in MAGMI version 0.7.24 on August 30, 2020. The Magento 2 fork of MAGMI is also vulnerable and had no patch at time of publication. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cross-Site Request Forgery in MAGMI
osv·2021-05-06
CVE-2020-5776 [MEDIUM] Cross-Site Request Forgery in MAGMI
Cross-Site Request Forgery in MAGMI
All versions of MAGMI up to and including version 0.7.24 are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.
GHSA
Cross-Site Request Forgery in MAGMI
ghsa·2021-05-06
CVE-2020-5776 [MEDIUM] CWE-352 Cross-Site Request Forgery in MAGMI
Cross-Site Request Forgery in MAGMI
All versions of MAGMI up to and including version 0.7.24 are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.
VulnCheck
magmi_project magmi Cross-Site Request Forgery (CSRF)
vulncheck·2020·CVSS 8.8
CVE-2020-5776 [HIGH] magmi_project magmi Cross-Site Request Forgery (CSRF)
magmi_project magmi Cross-Site Request Forgery (CSRF)
Currently, all versions of MAGMI are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.
Affected: magmi_project magmi
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-february-april-2021/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2020-5776; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-24&host_type=src&vulnerab
No detection rules found.
Nuclei
MAGMI - Cross-Site Request Forgery
nuclei·CVSS 8.8
CVE-2020-5776 [HIGH] MAGMI - Cross-Site Request Forgery
MAGMI - Cross-Site Request Forgery
MAGMI (Magento Mass Importer) is vulnerable to cross-site request forgery (CSRF) due to a lack of CSRF tokens. Remote code execution (via phpcli command) is also possible in the event that CSRF is leveraged against an existing admin session.
Template:
id: CVE-2020-5776
info:
name: MAGMI - Cross-Site Request Forgery
author: dwisiswant0
severity: high
description: MAGMI (Magento Mass Importer) is vulnerable to cross-site request forgery (CSRF) due to a lack of CSRF tokens. Remote code execution (via phpcli command) is also possible in the event that CSRF is leveraged against an existing admin session.
impact: |
Successful exploitation of this vulnerability could allow an attacker to perform unauthorized actions on behalf of the victim user.
remediation:
Tenable
One Year Later: What Can We Learn from Zerologon?
blogs_tenable·2021-08-11
One Year Later: What Can We Learn from Zerologon?
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of each attack.
## Network Attack Trends February-April 2021: Analysis of the Latest Published Vulnerabilities
From February-April 2021, a total of 4,969 new Common Vulnerabilities and Exposures (CVE) numbers were registered. To better und
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: February-April 2021
Yue Guan
Lei Xu
Vaibhav Singhal
Brock Mammen
Published: July 1, 2021
Trend Reports
Vulnerabilities
Network security trends
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of
Tenable
CVE-2020-5776, CVE-2020-5777: Multiple Vulnerabilities in the MAGMI Magento Mass Import Plugin
blogs_tenable·2020-09-01·CVSS 8.8
[HIGH] CVE-2020-5776, CVE-2020-5777: Multiple Vulnerabilities in the MAGMI Magento Mass Import Plugin
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
MAGMI Multiple Vulnerabilities
blogs_tenable·2020-09-01
MAGMI Multiple Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
NoiseLetter September 2025
blogs_greynoiseio
NoiseLetter September 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2020-09-01
Published
Exploited in the wild