Cyber Resilience

CVE-2020-37015

HighPublic PoCUpdated

Published: 29 January 2026

Published
29 January 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0052 67.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-37015 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2020-37015 is a directory traversal vulnerability (CWE-22) in the eWeb management interface of Ruijie Networks Switch running S29_RGOS 11.4. The flaw allows unauthenticated attackers to access sensitive configuration files by manipulating file path parameters in requests to the /download.do endpoint, using '../' sequences to traverse directories and retrieve files containing credentials and network settings. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with low attack complexity over the network.

Unauthenticated remote attackers can exploit this vulnerability without privileges or user interaction by sending crafted HTTP requests to the affected endpoint. Successful exploitation enables retrieval of critical system configuration files, potentially exposing administrative credentials, network topologies, and other sensitive information that could facilitate further attacks such as lateral movement or privilege escalation within the network.

Advisories from VulnCheck (https://www.vulncheck.com/advisories/ruijie-networks-switch-eweb-srgos-directory-traversal) and the vendor site (https://www.ruijienetworks.com/) provide details on the issue, along with a proof-of-concept exploit available at Exploit-DB (https://www.exploit-db.com/exploits/48755) and analysis at https://faruktuygun.com/directorytraversal.html. Security practitioners should consult these resources for patch availability and mitigation guidance from Ruijie Networks.

EU & UK References

Vulnerability details

The Ruijie Networks Switch eWeb S29_RGOS version 11.4 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by manipulating file path parameters. Attackers can exploit the /download.do endpoint with '../' sequences to retrieve system configuration…

more

files containing credentials and network settings.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Directory traversal in public-facing eWeb interface directly enables T1190 exploitation for unauthenticated file access; retrieved configs expose credentials in files (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-6381Shared CWE-22
CVE-2026-22199Shared CWE-22
CVE-2020-37088Shared CWE-22
CVE-2026-25992Shared CWE-22
CVE-2018-25178Shared CWE-22
CVE-2025-25684Shared CWE-22
CVE-2022-50992Shared CWE-22
CVE-2026-32847Shared CWE-22
CVE-2026-30869Shared CWE-22
CVE-2026-35615Shared CWE-22

Affected Assets

S29_RGOS
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access control policy on the /download.do endpoint so unauthenticated requests cannot retrieve configuration files via path traversal.

prevent

Requires validation and sanitization of file-path parameters to reject '../' sequences that enable directory traversal to sensitive files.

prevent

Mandates identification and authentication before any access to the eWeb management interface, eliminating the unauthenticated attack vector.

References