Cyber Resilience

CVE-2020-37034

HighPublic PoC

Published: 30 January 2026

Published
30 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0097 57.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37034 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2020-37034 is an arbitrary file download vulnerability in HelloWeb 2.0, caused by a directory traversal flaw (CWE-22) in the download.asp component. Remote attackers can manipulate filepath and filename parameters in crafted GET requests to access and download sensitive configuration and system files. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high confidentiality impact with no requirements for authentication or user interaction.

Any remote attacker with network access can exploit this vulnerability without privileges. By appending directory traversal sequences (such as ../) to the parameters in requests to download.asp, they can read arbitrary files on the server, potentially exposing critical system information like configuration files or other sensitive data.

Advisories from Vulncheck document the HelloWeb arbitrary file download vulnerability, while Exploit-DB provides a proof-of-concept exploit (ID 48659). An archived version of the HelloWeb site (helloweb.co.kr) offers additional context on the affected software. No patch or mitigation details are specified in the available references.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET requests to download.asp with directory traversal to access sensitive configuration and system files.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct arbitrary file read via directory traversal in public-facing web component (download.asp) enables remote exploitation of the application without auth.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2505Shared CWE-22
CVE-2026-5841Shared CWE-22
CVE-2026-33242Shared CWE-22
CVE-2026-33292Shared CWE-22
CVE-2026-35605Shared CWE-22
CVE-2025-53632Shared CWE-22
CVE-2025-8110Shared CWE-22
CVE-2026-8757Shared CWE-22
CVE-2025-7712Shared CWE-22
CVE-2026-31817Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates filepath and filename parameters in download.asp to block directory traversal sequences like ../ and prevent arbitrary file access.

prevent

Enforces protections on publicly accessible web endpoints like download.asp to restrict access to only approved non-sensitive files.

prevent

Enforces approved access authorizations for file system resources, confining reads to permitted paths despite traversal attempts.

References