Cyber Resilience

CVE-2020-10221

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 08 March 2020

Published
08 March 2020
Modified
07 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9139 99.7th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-10221 is a high-severity OS Command Injection (CWE-78) vulnerability in Rconfig Rconfig. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2020-10221 is an OS command injection vulnerability (CWE-78) affecting the lib/ajaxHandlers/ajaxAddTemplate.php component in rConfig versions through 3.94. The flaw permits arbitrary operating system command execution when unsanitized input containing shell metacharacters is supplied in the fileName POST parameter.

An attacker with low-privileged authenticated access can send a crafted HTTP POST request to the affected endpoint over the network. Successful exploitation grants the ability to execute arbitrary commands on the underlying operating system, resulting in full compromise of confidentiality, integrity, and availability as reflected in the CVSS 8.8 score.

Public exploit code demonstrating authenticated remote code execution against rConfig 3.93 has been disclosed via Packet Storm and detailed write-ups on GitHub, confirming the issue is reproducible with standard web request tools. No official patch or mitigation guidance appears in the referenced materials.

EU & UK References

Vulnerability details

lib/ajaxHandlers/ajaxAddTemplate.php in rConfig through 3.94 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the fileName POST parameter.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rconfig
rconfig
≤ 3.9.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the unsanitized fileName POST parameter containing shell metacharacters from reaching the OS command execution path in ajaxAddTemplate.php.

prevent

Ensures the web application process and authenticated user context run with minimal privileges, limiting the scope of arbitrary OS commands that can be executed after successful injection.

prevent

Restricts the web server and PHP environment to only required functions and disables unnecessary interpreters or shell access that would otherwise enable the command injection payload.

References