cbcvebase.
CVE-2020-7357
published 2020-08-06

CVE-2020-7357: Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. This can be exploited to inject and execute…

PriorityP178critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
33.87%
98.2th percentile
Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'NTP_Server_IP' HTTP POST parameter in system.cgi page. This issue affects several branches and versions of the CMS application, including CME-SE, CMS-60, CMS-40, CMS-20, and CMS version 8.2, 8.0, and 7.5.

Affected

14 ranges
VendorProductVersion rangeFixed in
cayin_technologycayin_cms
cayin_technologycayin_cms
cayin_technologycayin_cms
cayin_technologycayin_cms-209.0 Build 14917 – 9.0 Build 14917
cayin_technologycayin_cms-409.0 Build 14917 – 9.0 Build 14917
cayin_technologycayin_cms-6011.0 Build 19025 – 11.0 Build 19025
cayin_technologycayin_cms-se11.0 Build 19179 – 11.0 Build 19179
cayintechcms
cayintechcms
cayintechcms
cayintechcms-20_firmware
cayintechcms-40_firmware
cayintechcms-60_firmware
cayintechcms-se_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/system.cgi
path/system_service.cgi
otherNTP_Server_IP
otherntpIp
  • Monitor HTTP POST requests to system.cgi or system_service.cgi targeting the NTP_Server_IP / ntpIp parameter for shell metacharacters or command injection payloads.
  • Exploitation uses repeated/chunked HTTP requests to the ntpIp parameter due to field size limitations — look for an unusual volume of small POST requests to system_service.cgi from the same source.
  • Successful exploitation results in root-level code execution on the underlying Linux host; alert on unexpected root-owned processes spawned by the web server process.
  • Exploitation is authenticated using default credentials — detect use of default Cayin CMS credentials followed by POST activity to the CGI endpoints.
  • ·The exploit targets Cayin CMS-SE built for Ubuntu 16.04; Ubuntu 20.04 is noted as failing to install correctly, so the environment is relatively static and predictable across targets.
  • ·Affected versions span multiple product lines (CME-SE, CMS-60, CMS-40, CMS-20) and software versions 7.5, 8.0, and 8.2, as well as all CMS releases up to and including 11.0.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.