cbcvebase.
CVE-2020-7351
published 2020-05-01

CVE-2020-7351: An OS Command Injection vulnerability in the endpoint_devicemap.php component of Fonality Trixbox Community Edition allows an attacker to execute commands on…

PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
65.21%
99.2th percentile
An OS Command Injection vulnerability in the endpoint_devicemap.php component of Fonality Trixbox Community Edition allows an attacker to execute commands on the underlying operating system as the "asterisk" user. Note that Trixbox Community Edition has been unsupported by the vendor since 2012. This issue affects: Fonality Trixbox Community Edition, versions 1.2.0 through 2.8.0.4. Versions 1.0 and 1.1 are unaffected.

Affected

2 ranges
VendorProductVersion rangeFixed in
fonalitytrixbox_community_edition2.8.0.4 – 2.8.0.4
netfortristrixbox1.2.0 – 2.8.0.4

Detection & IOCsextracted from sources · hover to see the quote

path/maint/modules/endpointcfg/endpoint_devicemap.php
  • Monitor HTTP POST requests targeting /maint/modules/endpointcfg/endpoint_devicemap.php — specifically inspect the 'network' POST parameter for OS command injection payloads (e.g., shell metacharacters, backticks, semicolons, pipe characters).
  • Alert on processes spawned as the 'asterisk' user that invoke shells (e.g., /bin/sh, /bin/bash) or nmap, as exploitation runs commands under that account and privilege escalation uses 'sudo nmap --interactive' then '!sh'.
  • Detect privilege escalation attempts via 'sudo nmap --interactive' followed by shell escape '!sh', which is the documented post-exploitation path from 'asterisk' to 'root' on affected Trixbox CE systems.
  • ·Exploitation requires authentication — the vulnerability is in an authenticated endpoint. Ensure web application login monitoring is in place to detect brute-force or credential-stuffing attempts against the Trixbox CE management interface prior to exploitation.
  • ·Trixbox Community Edition has been unsupported by the vendor since 2012 — no patch will be issued. Detection and network isolation are the only mitigations for affected versions 1.2.0 through 2.8.0.4.
  • ·Versions 1.0 and 1.1 of Trixbox Community Edition are explicitly NOT affected and should not be flagged by version-based detection rules.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.