cbcvebase.
CVE-2020-9020
published 2020-02-17

CVE-2020-9020: Iteris Vantage Velocity Field Unit 2.3.1, 2.4.2, and 3.0 devices allow the injection of OS commands into cgi-bin/timeconfig.py via shell metacharacters in the…

PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
2.47%
82.5th percentile
Iteris Vantage Velocity Field Unit 2.3.1, 2.4.2, and 3.0 devices allow the injection of OS commands into cgi-bin/timeconfig.py via shell metacharacters in the NTP Server field.

Affected

3 ranges
VendorProductVersion rangeFixed in
iterisvantage_velocity_firmware
iterisvantage_velocity_firmware
iterisvantage_velocity_firmware

Detection & IOCsextracted from sources · hover to see the quote

ip198.23.238.203
port5684
urlhttp://198.23.238.203/arm
urlhttp://198.23.238.203/arm7
urlhttp://198.23.238.203/mips
urlhttp://198.23.238.203/mipsel
urlhttp://198.23.238.203/powerpc
urlhttp://198.23.238.203/sh4
urlhttp://198.23.238.203/sparc
urlhttp://198.23.238.203/m68k
urlhttp://198.23.238.203/x86_64
urlhttp://198.23.238.203/x86_32
hash0d74227dbc3bdd74a3854d81e47cf6048da2d95c3010b953de407e5989beb066
hashfe8e5e7041dfda470f9e2ad9abe9e0da3e43ddb5b24209e42ce0e3ebee1a7bfe
hash320d7067d60f9ed7e7f3e9408a5d3b0a6fdccddde494c0a2a4f4e77aecb80814
hashfbe314dc3b284ce2db1f37478338fdba8130bf44e484f5028ca92eb9326417e4
hash3c62d16451db32f72464a854d6aceb7c7ba2f07c38850f6a247a5243c0f473cb
hash13ce782d393f2b4ce797747d12f377afad9d6e56c10f52948034a234654a9d30
hash985127ed1610cfca49f6dba273bb0783f20adf763e1d553c38e5a0f9f89328c3
hashe458dca7ddceae3412e815e5c70e365f6cc918be2d512e69b5746ed885e80268
hash989e49f9aaff3645c40a2c40b8959e28e4ff0a645e169bb81907055a34f84dfb
hash22818ae75823ee5807d5d220500eb9d5829927d57e10ce87312d1c22843fb407
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Vantage Velocity Field Unit RCE Inbound (CVE-2020-9020)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/timeconfig.py?"; fast_pattern; content:"|3b|"; distance:0; reference:url,unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/; reference:cve,2020-9020; classtype:attempted-admin; sid:2032314; rev:1; metadata:created_at 2021_03_24, cve CVE_2020_9020, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_03_24;)
  • Exploit arrives as an HTTP POST to /cgi-bin/timeconfig.py? containing a semicolon (0x3b) shell metacharacter in the NTP Server field (htmlNtpServer parameter) — the ET rule keys on content:"/cgi-bin/timeconfig.py?" followed by content:"|3b|".
  • Post-exploitation payload is fetched via wget from 198.23.238.203 over HTTP port 80; monitor for outbound wget/curl requests to that IP from IoT/embedded devices.
  • C2 communications use encrypted SSL traffic to 198.23.238.203 on port 5684; alert on SSL/TLS sessions to that IP:port from internal hosts.
  • Satori scans TCP port 23 (Telnet) on random hosts and attempts credential brute-force; high-rate outbound Telnet scanning from a compromised device is a strong post-compromise indicator.
  • Embedded passwords in the Satori sample are XOR-encrypted with single-byte key 0x07; use this to decode credential strings during malware analysis or memory forensics.
  • Palo Alto Networks Threat Prevention signature 90769 blocks the exploit traffic; verify this signature is active on NGFWs protecting Vantage Velocity devices.
  • ·Nine distinct Satori binaries are hosted on the C2 server, each compiled for a different CPU architecture (arm, arm7, mips, mipsel, powerpc, sh4, sparc, m68k, x86_64, x86_32); hash-based detections must cover all variants to avoid gaps.
  • ·The C2 server 198.23.238.203 was still accessible at time of publication; block/null-route this IP but treat it as potentially shared infrastructure that may be reused against other targets.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.