cbcvebase.
CVE-2020-6627
published 2022-12-06

CVE-2020-6627: The web-management application on Seagate Central NAS STCG2000300, STCG3000300, and STCG4000300 devices allows OS command injection via mv_backend_launch in…

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
12.45%
95.7th percentile
The web-management application on Seagate Central NAS STCG2000300, STCG3000300, and STCG4000300 devices allows OS command injection via mv_backend_launch in cirrus/application/helpers/mv_backend_helper.php by leveraging the "start" state and sending a check_device_name request.

Detection & IOCsextracted from sources · hover to see the quote

url/index.php/Start/get_firmware
url/index.php/Start/set_start_info
url/index.php/Start/add_edit_user
url/index.php/Start/json_get_start_info
pathcirrus/application/helpers/mv_backend_helper.php
otherX-Requested-With: XMLHttpRequest
version2015.0916
  • Detect unauthenticated GET to /index.php/Start/get_firmware with X-Requested-With: XMLHttpRequest header as a fingerprinting/check step for this exploit
  • Detect unauthenticated POST to /index.php/Start/set_start_info with JSON body containing 'state':'start' — this is the access-control bypass step that enables subsequent exploitation
  • Detect unauthenticated POST to /index.php/Start/add_edit_user with isAdmin:true in the JSON body — this is the unauthorized admin user creation step
  • Alert on SSH login (port 22) to a Seagate Central NAS immediately following the above unauthenticated HTTP POST sequence — indicates successful RCE via newly created admin account
  • The exploit leverages the device being in or forced into the 'start' state; monitor for the check_device_name request as the OS command injection trigger
  • ·Exploit only works against firmware version 2015.0916; the check step confirms the string 'Cirrus NAS' and '2015.0916' in the /get_firmware response before proceeding
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.