CVE-2020-10181
Published: 11 March 2020
Summary
CVE-2020-10181 is a critical-severity CSRF (CWE-352) vulnerability in Sumavision Enhanced Multimedia Router Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 4.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
The vulnerability is a cross-site request forgery flaw (CWE-352) in the goform/formEMR30 endpoint of Sumavision Enhanced Multimedia Router (EMR) 3.0.4.27. The component accepts unauthenticated requests that create new users with administrator privileges, as shown by a setString=new_user<*1*>administrator<*1*>123456 parameter.
An unauthenticated remote attacker can exploit the issue over the network without user interaction to add an administrator account and obtain full control of the device configuration and services. The CVSS 3.1 score of 9.8 reflects the absence of required credentials and the complete confidentiality, integrity, and availability impact.
The supplied references consist of public proof-of-concept material, including PacketStorm entries and a GitHub repository with demonstration code, but contain no vendor advisory or patch information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-2643
Vulnerability details
goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3.0.4.27 allows creation of arbitrary users with elevated privileges (administrator) on a device, as demonstrated by a setString=new_user<*1*>administrator<*1*>123456 request.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces that the formEMR30 endpoint must deny the unauthenticated setString=new_user request that creates administrator accounts.
Requires successful identification and authentication before any user-creation or privilege-elevation action is accepted on the device.
Mandates that account creation (including administrator accounts) be authorized through controlled management processes rather than unauthenticated HTTP parameters.