CVE-2020-36902
Published: 10 December 2025
Summary
CVE-2020-36902 is a critical-severity Missing Authorization (CWE-862) vulnerability in Medivision Medivision Digital Signage Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to /html/user endpoint and prevents privilege escalation via manipulated 'ft[grp]' parameter.
Validates and sanitizes input parameters like 'ft[grp]' to block unauthorized tampering leading to super admin privilege gain.
Limits user privileges to the minimum necessary, reducing the impact of authorization bypasses even if escalation occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated authorization bypass in a public-facing web application (/html/user endpoint), directly enabling exploitation of a public-facing application for initial access and privilege escalation to super admin rights.
NVD Description
UBICOD Medivision Digital Signage 1.5.1 contains an authorization bypass vulnerability that allows normal users to escalate privileges by manipulating the 'ft[grp]' parameter. Attackers can send a GET request to /html/user with 'ft[grp]' set to integer value '3' to gain super…
more
admin rights without authentication.
Deeper analysisAI
UBICOD Medivision Digital Signage version 1.5.1 is affected by CVE-2020-36902, an authorization bypass vulnerability stemming from CWE-862 (Missing Authorization). The flaw allows privilege escalation by manipulating the 'ft[grp]' parameter in a GET request to the /html/user endpoint. By setting 'ft[grp]' to the integer value '3', normal users or attackers can gain super admin rights. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting and sending a simple GET request to /html/user?ft[grp]=3, they bypass authorization controls and elevate to super admin privileges, potentially enabling full control over the digital signage system, including configuration changes, content manipulation, or further compromise of connected infrastructure.
Advisories from sources like VulnCheck, Zero Science Lab (ZSL-2020-5575), and an Exploit-DB proof-of-concept (EDB-ID 48684) detail the issue and provide exploit code, but no specific patches or vendor mitigations are outlined in the available references. Security practitioners should isolate affected systems, apply any available updates from the vendor (medivision.co.kr), and implement web application firewalls to block parameter tampering on the /html/user endpoint.
A public exploit is available on Exploit-DB, highlighting active research interest despite the CVE's 2020 designation and a 2025 publication timestamp in vulnerability databases. No evidence of widespread real-world exploitation or AI/ML relevance is noted.
Details
- CWE(s)