CVE-2020-37034
Published: 30 January 2026
Summary
CVE-2020-37034 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).
Deeper analysis
CVE-2020-37034 is an arbitrary file download vulnerability in HelloWeb 2.0, caused by a directory traversal flaw (CWE-22) in the download.asp component. Remote attackers can manipulate filepath and filename parameters in crafted GET requests to access and download sensitive configuration and system files. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high confidentiality impact with no requirements for authentication or user interaction.
Any remote attacker with network access can exploit this vulnerability without privileges. By appending directory traversal sequences (such as ../) to the parameters in requests to download.asp, they can read arbitrary files on the server, potentially exposing critical system information like configuration files or other sensitive data.
Advisories from Vulncheck document the HelloWeb arbitrary file download vulnerability, while Exploit-DB provides a proof-of-concept exploit (ID 48659). An archived version of the HelloWeb site (helloweb.co.kr) offers additional context on the affected software. No patch or mitigation details are specified in the available references.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30943
Vulnerability details
HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET requests to download.asp with directory traversal to access sensitive configuration and system files.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct arbitrary file read via directory traversal in public-facing web component (download.asp) enables remote exploitation of the application without auth.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates filepath and filename parameters in download.asp to block directory traversal sequences like ../ and prevent arbitrary file access.
Enforces protections on publicly accessible web endpoints like download.asp to restrict access to only approved non-sensitive files.
Enforces approved access authorizations for file system resources, confining reads to permitted paths despite traversal attempts.