CVE-2020-36883
Published: 10 December 2025
Summary
CVE-2020-36883 is a high-severity Path Traversal (CWE-22) vulnerability in Spinetix Fusion Digital Signage. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of unverified input parameters in file backup and deletion operations, directly preventing path traversal exploits.
Mandates timely identification, reporting, and remediation of flaws like this authenticated path traversal vulnerability through patching.
Restricts malicious information inputs such as traversal sequences in file operation parameters, mitigating exploitation attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a path traversal in a web application (index.php) enabling arbitrary file overwrite via backups (T1565.001 Stored Data Manipulation) and deletion (T1070.004 File Deletion), exploited as a public-facing or remote web app flaw (T1190 Exploit Public-Facing Application).
NVD Description
SpinetiX Fusion Digital Signage 3.4.8 and lower contains an authenticated path traversal vulnerability that allows attackers to manipulate file backup and deletion operations through unverified input parameters. Attackers can exploit path traversal techniques in index.php to write backup files to…
more
arbitrary locations and delete files by manipulating backup and file delete requests.
Deeper analysisAI
CVE-2020-36883 is an authenticated path traversal vulnerability affecting SpinetiX Fusion Digital Signage versions 3.4.8 and lower. The flaw resides in the index.php component, where unverified input parameters in file backup and deletion operations enable attackers to employ path traversal techniques. This allows manipulation of backup files to be written to arbitrary locations on the filesystem and arbitrary file deletion.
The vulnerability requires low privileges (PR:L), meaning an authenticated user with basic access can exploit it over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation results in high integrity (I:H) and availability (A:H) impacts, with no confidentiality impact (C:N), as rated by its CVSS v3.1 score of 8.1. Attackers can overwrite critical files via malicious backups or delete essential system files, potentially leading to denial of service or full system compromise.
Advisories from VulnCheck (vulncheck.com) and Zero Science (zeroscience.mk) document the issue, including exploit details available on Exploit-DB (exploit-db.com/exploits/48844). Mitigation recommendations, detailed in these sources and on the vendor site (spinetix.com), emphasize updating to patched versions where available and validating input parameters to prevent path traversal in file operations. A public proof-of-concept exploit exists, indicating potential for real-world abuse.
Details
- CWE(s)