Cyber Resilience

CVE-2020-36883

HighPublic PoC

Published: 10 December 2025

Published
10 December 2025
Modified
21 January 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0089 75.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-36883 is a high-severity Path Traversal (CWE-22) vulnerability in Spinetix Fusion Digital Signage. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-36883 is an authenticated path traversal vulnerability affecting SpinetiX Fusion Digital Signage versions 3.4.8 and lower. The flaw resides in the index.php component, where unverified input parameters in file backup and deletion operations enable attackers to employ path traversal techniques. This allows manipulation of backup files to be written to arbitrary locations on the filesystem and arbitrary file deletion.

The vulnerability requires low privileges (PR:L), meaning an authenticated user with basic access can exploit it over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation results in high integrity (I:H) and availability (A:H) impacts, with no confidentiality impact (C:N), as rated by its CVSS v3.1 score of 8.1. Attackers can overwrite critical files via malicious backups or delete essential system files, potentially leading to denial of service or full system compromise.

Advisories from VulnCheck (vulncheck.com) and Zero Science (zeroscience.mk) document the issue, including exploit details available on Exploit-DB (exploit-db.com/exploits/48844). Mitigation recommendations, detailed in these sources and on the vendor site (spinetix.com), emphasize updating to patched versions where available and validating input parameters to prevent path traversal in file operations. A public proof-of-concept exploit exists, indicating potential for real-world abuse.

EU & UK References

Vulnerability details

SpinetiX Fusion Digital Signage 3.4.8 and lower contains an authenticated path traversal vulnerability that allows attackers to manipulate file backup and deletion operations through unverified input parameters. Attackers can exploit path traversal techniques in index.php to write backup files to…

more

arbitrary locations and delete files by manipulating backup and file delete requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

The vulnerability is a path traversal in a web application (index.php) enabling arbitrary file overwrite via backups (T1565.001 Stored Data Manipulation) and deletion (T1070.004 File Deletion), exploited as a public-facing or remote web app flaw (T1190 Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-36886Same product: Spinetix Fusion Digital Signage
CVE-2026-44243Shared CWE-22
CVE-2026-3666Shared CWE-22
CVE-2018-25308Shared CWE-22
CVE-2026-22460Shared CWE-22
CVE-2025-69377Shared CWE-22
CVE-2025-14850Shared CWE-22
CVE-2025-26752Shared CWE-22
CVE-2026-4350Shared CWE-22
CVE-2025-65792Shared CWE-22

Affected Assets

spinetix
fusion digital signage
≤ 3.4.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of unverified input parameters in file backup and deletion operations, directly preventing path traversal exploits.

prevent

Mandates timely identification, reporting, and remediation of flaws like this authenticated path traversal vulnerability through patching.

prevent

Restricts malicious information inputs such as traversal sequences in file operation parameters, mitigating exploitation attempts.

References