cbcvebase.
CVE-2020-7384
published 2020-10-29

CVE-2020-7384: Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary…

PriorityP258high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
30.56%
98.0th percentile
Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary commands on a victim's machine.

Affected

2 ranges
VendorProductVersion rangeFixed in
rapid7metasploit< 4.19.04.19.0
rapid7metasploit>= unspecified < 4.19.04.19.0

Detection & IOCsextracted from sources · hover to see the quote

commandmsfvenom -x <apk_file> -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null
commandCN='|echo {payload_b64} | base64 -d | sh #
  • Detect msfvenom invocations that supply a crafted APK as a template via the -x flag, particularly when the APK's certificate DN contains shell metacharacters such as a pipe '|' or backtick.
  • Inspect APK certificate Distinguished Names (DN) for command injection patterns — specifically a CN field beginning with a single quote followed by a pipe character (CN='|...) which is the injection vector used by this exploit.
  • Monitor for keytool and jarsigner processes spawned with a -dname argument containing shell special characters (|, $, #), as these are used to embed the malicious payload into the APK signing certificate.
  • Alert on child processes (e.g., sh, bash) spawned by msfvenom or Ruby processes when processing APK template files, which would indicate successful command injection exploitation.
  • Look for base64-encoded payloads piped to 'base64 -d | sh' in process command-line arguments, which is the obfuscation technique used to bypass keytool's character restrictions.
  • ·The exploit affects Metasploit Framework 6.0.11 and Metasploit Pro 4.18.0 specifically; the -x template flag is the attack surface, so defenders should note this only triggers when msfvenom processes an externally supplied APK template.
  • ·The injection is embedded in the APK's JAR signing certificate DN field, meaning static file scanning of the APK payload itself (not the certificate metadata) will not detect the malicious content — certificate inspection is required.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.