cbcvebase.
CVE-2020-7980
published 2020-01-25

CVE-2020-7980: Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
82.96%
99.6th percentile
Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed.

Affected

1 ranges
VendorProductVersion rangeFixed in
intelliantechaptus_web

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/libagent.cgi?type=J
command{"O_": "A", "F_": "EXEC_CMD", "S_": 123456789, "P1_": {"Q": "cat /etc/passwd", "F": "EXEC_CMD"}, "V_": 1}
yara
rule CVE_2020_7980_Intellian_RCE { strings: $uri = "/cgi-bin/libagent.cgi" $field = "EXEC_CMD" $cookie = "sid=123456789" condition: $uri and $field and $cookie }
sigma
title: CVE-2020-7980 Intellian Aptus Web RCE
detection:
  selection:
    cs-method: POST
    cs-uri-stem|contains: '/cgi-bin/libagent.cgi'
    cs-uri-query|contains: 'type=J'
    cs-cookie|contains: 'sid=123456789'
  condition: selection
  • Exploit targets POST requests to /cgi-bin/libagent.cgi?type=J with a JSON body containing the key 'F_': 'EXEC_CMD' and a command in the 'Q' sub-field of 'P1_'. Monitor HTTP POST traffic to this URI for the EXEC_CMD function identifier.
  • The exploit uses a hardcoded session cookie value 'sid=123456789' (the default Intellian account credential). Presence of this specific sid value in requests to /cgi-bin/libagent.cgi is a strong indicator of exploitation or reconnaissance.
  • The PoC appends a Unix epoch timestamp (in milliseconds) as a query parameter after 'type=J' to the CGI URI. Look for POST requests matching the pattern /cgi-bin/libagent.cgi?type=J&<13-digit-epoch>.
  • Shodan/FOFA exposure queries can identify internet-facing vulnerable devices. Hosts with HTTP title 'Intellian Aptus Web' are candidate targets.
  • Successful exploitation results in command execution as root (uid=0). Correlate web server logs for POST to /cgi-bin/libagent.cgi with subsequent anomalous process spawning from the CGI process.
  • The regex 'root:[x*]:0:0' in the HTTP response body can be used as a detection matcher to confirm successful /etc/passwd exfiltration via this vulnerability.
  • ·The hardcoded sid value '123456789' corresponds to the default Intellian account. Attackers may also use a legitimately obtained session token, so absence of this exact value does not rule out exploitation.
  • ·The exploit was tested against version 1.12 and confirmed on 1.24; the PoC author notes 'v1.12+' as the affected range, so detection rules should not be version-gated.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.