Cyber Resilience

CVE-2020-36926

MediumPublic PoC

Published: 16 January 2026

Published
16 January 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0007 22.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-36926 is a medium-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Smartertools Smartertrack. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2020-36926 is an information disclosure vulnerability in SmarterTrack version 7922. The issue affects the Chat Management search form, accessible via the /Management/Chat/frmChatSearch.aspx endpoint, which exposes agent identification details including first names, last names, and unique identifiers. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is linked to CWE-497.

Remote, unauthenticated attackers can exploit the vulnerability by directly accessing the affected endpoint over the network with low complexity and no user interaction required. Successful exploitation enables retrieval of sensitive agent personal information, which could facilitate targeted social engineering, phishing, or reconnaissance for subsequent attacks.

References include a proof-of-concept exploit on Exploit-DB (ID 50328), vendor resources from SmarterTools, and an advisory from Vulncheck detailing the SmarterTrack information disclosure. Security practitioners should review these sources for any recommended mitigations, such as endpoint access restrictions or software updates.

EU & UK References

Vulnerability details

SmarterTrack 7922 contains an information disclosure vulnerability in the Chat Management search form that reveals agent identification details. Attackers can access the vulnerable /Management/Chat/frmChatSearch.aspx endpoint to retrieve agents' first and last names along with their unique identifiers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1589.003 Employee Names Reconnaissance
Adversaries may gather employee names that can be used during targeting.
Why these techniques?

Unauthenticated remote access to public web endpoint directly enables T1190 exploitation for identity data exposure matching T1589.003 employee names/identifiers.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-52691Same vendor: Smartertools
CVE-2026-24423Same vendor: Smartertools
CVE-2026-23760Same vendor: Smartertools
CVE-2026-7807Same vendor: Smartertools
CVE-2025-9986Shared CWE-497
CVE-2025-9110Shared CWE-497
CVE-2025-13616Shared CWE-497
CVE-2026-24523Shared CWE-497
CVE-2025-1144Shared CWE-497
CVE-2026-24536Shared CWE-497

Affected Assets

smartertools
smartertrack
10.0, 14.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to block unauthenticated access to the /Management/Chat/frmChatSearch.aspx endpoint, preventing disclosure of agent identification details.

prevent

Protects publicly accessible endpoints like the vulnerable Chat Management search form from unauthorized logical access and sensitive information disclosure.

prevent

Identifies, reports, and corrects the specific information disclosure flaw in SmarterTrack version 7922 through timely flaw remediation.

References