Cyber Resilience

CVE-2020-36910

HighPublic PoCRCE

Published: 06 January 2026

Published
06 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0128 66.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-36910 is a high-severity OS Command Injection (CWE-78) vulnerability in Cxsecurity (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-36910 is an authenticated remote command injection vulnerability (CWE-78) affecting Cayin Signage Media Player 3.0, specifically in the system.cgi and wizard_system.cgi pages. The flaw resides in the 'NTP_Server_IP' parameter, which attackers can exploit using default credentials to execute arbitrary shell commands as root. Published on 2026-01-06, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and potential for complete system compromise.

An attacker requires network access to the affected device and valid low-privilege credentials, such as the defaults provided by the software. Once authenticated, they can submit a malicious payload via the vulnerable 'NTP_Server_IP' parameter in the specified CGI pages, leading to remote code execution with root privileges. This grants high-impact control over confidentiality, integrity, and availability, allowing arbitrary command execution on the target system.

Advisories and additional details, including potential exploits, are documented in references such as https://cxsecurity.com/issue/WLB-2020060049, https://exchange.xforce.ibmcloud.com/vulnerabilities/182924, https://packetstorm.news/files/id/157942, https://www.cayintech.com, and https://www.exploit-db.com/exploits/48557. Security practitioners should consult these sources and the vendor for patch availability or mitigation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Cayin Signage Media Player 3.0 contains an authenticated remote command injection vulnerability in system.cgi and wizard_system.cgi pages. Attackers can exploit the 'NTP_Server_IP' parameter with default credentials to execute arbitrary shell commands as root.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Authenticated remote command injection in web CGI endpoints enables exploitation of public-facing application (T1190), arbitrary Unix shell execution (T1059.004), and privilege escalation from low-priv to root (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27635Shared CWE-78
CVE-2025-56077Shared CWE-78
CVE-2026-28773Shared CWE-78
CVE-2025-56102Shared CWE-78
CVE-2021-47816Shared CWE-78
CVE-2026-24841Shared CWE-78
CVE-2026-26943Shared CWE-78
CVE-2025-56094Shared CWE-78
CVE-2026-28507Shared CWE-78
CVE-2025-56098Shared CWE-78

Affected Assets

Cxsecurity
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2020-36910 by identifying, patching, or updating the vulnerable CGI scripts to eliminate the command injection flaw.

prevent

Prevents exploitation of the NTP_Server_IP parameter by validating inputs to reject command injection payloads containing shell metacharacters.

prevent

Reduces attack surface by disabling default credentials or enforcing strong account management, hindering authenticated access needed to exploit the vulnerability.

References