cbcvebase.
CVE-2020-9465
published 2020-02-28

CVE-2020-9465: An issue was discovered in EyesOfNetwork eonweb 5.1 through 5.3 before 5.3-3. The eonweb web interface is prone to a SQL injection, allowing an unauthenticated…

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
82.24%
99.6th percentile
An issue was discovered in EyesOfNetwork eonweb 5.1 through 5.3 before 5.3-3. The eonweb web interface is prone to a SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the user_id field in a cookie.

Affected

1 ranges
VendorProductVersion rangeFixed in
eyesofnetworkeyesofnetwork>= 5.1 < 5.3-35.3-3

Detection & IOCsextracted from sources · hover to see the quote

cookieuser_id=
url/login.php
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Cookie SQLi (CVE-2020-9465)"; flow:established,to_server; http.uri; content:"/login.php"; endswith; fast_pattern; http.cookie; content:"user_id="; nocase; startswith; pcre:"/^[^\r\n=]*(?:union|select)/Ri"; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-9465; classtype:attempted-admin; sid:2034309; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_9465, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • SQL injection payload in the `user_id` cookie field targets /login.php; look for UNION/SELECT keywords in the cookie value via regex /^[^\r\n=]*(?:union|select)/Ri
  • Exploit traffic is directed to /login.php with a malformed user_id cookie; the ET rule (sid:2034309) fires on established HTTP flows to_server matching both URI and cookie patterns simultaneously
  • Version fingerprinting: fetch /css/eonweb.css and extract the '# VERSION :' comment line; versions 5.1–5.3 (before 5.3-3) are vulnerable
  • EON 5.3 also exposes a hardcoded API key as an alternative authentication bypass path; EON 5.1/5.2 rely solely on SQL injection for auth bypass
  • ·The Snort/Suricata rule targets $HOME_NET and $HTTP_SERVERS; ensure these variables are correctly scoped to cover internal EON appliances, otherwise the rule will not fire on internal-only deployments
  • ·The vulnerability affects eonweb 5.1 through 5.3 *before* 5.3-3 only; version 5.3-3 and later are patched and should not be flagged

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.