Cyber Posture

CVE-2020-36948

CriticalPublic PoC

Published: 27 January 2026

Published
27 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 55.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-36948 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Vulnerability Lab (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

AC-3 enforces approved authorizations for access, directly preventing token manipulation exploits that bypass authentication checks in the LoginAs module.

IA-5 Authenticator Management good match
prevent

IA-5 ensures proper management and validation of authenticators like session tokens, mitigating insufficient token validation vulnerabilities.

SC-23 Session Authenticity good match
prevent

SC-23 protects session authenticity through mechanisms that verify tokens, countering remote manipulation for unauthorized logins.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Vulnerability in public-facing VestaCP web application allows remote unauthenticated attackers to manipulate session tokens for unauthorized account access, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper administrative permissions.

Deeper analysisAI

CVE-2020-36948 is a session token vulnerability in the LoginAs module of VestaCP version 0.9.8-26. The flaw arises from insufficient token validation, enabling remote attackers to manipulate authentication tokens and bypass proper checks.

The vulnerability can be exploited by unauthenticated remote attackers over the network with low attack complexity and no user interaction required, as indicated by its CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and association with CWE-863 (Incorrect Authorization). Successful exploitation allows attackers to access user accounts and perform unauthorized login requests without administrative permissions.

Advisories from VulnCheck and Vulnerability Lab, along with a proof-of-concept exploit on Exploit-DB, document the issue, while the official VestaCP site provides related information. No specific patch details are outlined in the available references.

Details

CWE(s)
CWE-863

Affected Products

Vulnerability Lab
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-29087Shared CWE-863
CVE-2026-31998Shared CWE-863
CVE-2026-1007Shared CWE-863
CVE-2026-26308Shared CWE-863
CVE-2025-30743Shared CWE-863
CVE-2026-0562Shared CWE-863
CVE-2026-31887Shared CWE-863
CVE-2026-34532Shared CWE-863
CVE-2024-13253Shared CWE-863
CVE-2026-35604Shared CWE-863

References