cbcvebase.
CVE-2020-8466
published 2020-12-17

CVE-2020-8466: A command injection vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2, with the improved password hashing method enabled, could…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
63.71%
99.1th percentile
A command injection vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2, with the improved password hashing method enabled, could allow an unauthenticated attacker to execute certain commands by providing a manipulated password.

Affected

2 ranges
VendorProductVersion rangeFixed in
trend_microtrend_micro_interscan_web_security_virtual_appliance
trendmicrointerscan_web_security_virtual_appliance

Detection & IOCsextracted from sources · hover to see the quote

snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Trend Micro IWSVA Unauthenticated Command Injection Inbound (CVE-2020-8466)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uid="; startswith; content:"passwd=|60|"; fast_pattern; reference:url,packetstormsecurity.com/files/160602/Trend-Micro-IWSVA-CSRF-XSS-Bypass-SSRF-Code-Execution.html; reference:cve,2020-8466; classtype:attempted-admin; sid:2032533; rev:1; metadata:attack_target Server, created_at 2021_04_08, cve CVE_2020_8466, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_04_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
bytes
passwd=|60|
  • Exploit traffic is an inbound HTTP POST request. The request body starts with 'uid=' and contains 'passwd=' followed by a backtick character (hex 0x60), indicating command injection via the password field.
  • The vulnerability is only exploitable when the 'improved password hashing method' feature is enabled on Trend Micro IWSVA 6.5 SP2.
  • Monitor for unauthenticated POST requests to the IWSVA login/authentication endpoint containing shell metacharacters (backtick, pipe, semicolon) in the passwd parameter.
  • ·The command injection is only triggerable when the 'improved password hashing method' is enabled. Appliances using the default/legacy hashing method are NOT vulnerable to this specific attack path.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.