CVE-2020-10221
Published: 08 March 2020
Summary
CVE-2020-10221 is a high-severity OS Command Injection (CWE-78) vulnerability in Rconfig Rconfig. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2020-10221 is an OS command injection vulnerability (CWE-78) affecting the lib/ajaxHandlers/ajaxAddTemplate.php component in rConfig versions through 3.94. The flaw permits arbitrary operating system command execution when unsanitized input containing shell metacharacters is supplied in the fileName POST parameter.
An attacker with low-privileged authenticated access can send a crafted HTTP POST request to the affected endpoint over the network. Successful exploitation grants the ability to execute arbitrary commands on the underlying operating system, resulting in full compromise of confidentiality, integrity, and availability as reflected in the CVSS 8.8 score.
Public exploit code demonstrating authenticated remote code execution against rConfig 3.93 has been disclosed via Packet Storm and detailed write-ups on GitHub, confirming the issue is reproducible with standard web request tools. No official patch or mitigation guidance appears in the referenced materials.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-2679
Vulnerability details
lib/ajaxHandlers/ajaxAddTemplate.php in rConfig through 3.94 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the fileName POST parameter.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the unsanitized fileName POST parameter containing shell metacharacters from reaching the OS command execution path in ajaxAddTemplate.php.
Ensures the web application process and authenticated user context run with minimal privileges, limiting the scope of arbitrary OS commands that can be executed after successful injection.
Restricts the web server and PHP environment to only required functions and disables unnecessary interpreters or shell access that would otherwise enable the command injection payload.