Cyber Resilience

CVE-2020-37042

HighPublic PoC

Published: 30 January 2026

Published
30 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0019 8.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37042 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2020-37042 is a local buffer overflow vulnerability (CWE-120) affecting Frigate Professional version 3.36.0.9, specifically in the 'Find Computer' feature. The flaw occurs when attackers overflow the computer name input field with a malicious payload, triggering a buffer overflow that enables arbitrary code execution. A proof-of-concept demonstrates this by launching the calculator application.

The vulnerability has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity with local attack vector, low complexity, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Local attackers can exploit it to execute arbitrary code on the affected system, potentially leading to full compromise without authentication.

Advisories and resources, including the VulnCheck advisory at https://www.vulncheck.com/advisories/frigate-professional-find-computer-local-buffer-overflow and an Exploit-DB entry at https://www.exploit-db.com/exploits/48579, document the issue and proof-of-concept exploit. The archived Frigate website at https://web.archive.org/web/20190623044943/http://www.frigate3.com/index.php provides additional context on the software.

An exploit is publicly available on Exploit-DB, confirming practical exploitation feasibility for local attackers.

EU & UK References

Vulnerability details

Frigate Professional 3.36.0.9 contains a local buffer overflow vulnerability in the 'Find Computer' feature that allows attackers to execute arbitrary code by overflowing the computer name input field. Attackers can craft a malicious payload that triggers a buffer overflow, enabling…

more

code execution and launching calculator as a proof of concept.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Local buffer overflow in a client application (Frigate file manager) directly enables arbitrary code execution via exploitation of the vulnerable input field, matching T1203 Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-37028Shared CWE-120
CVE-2020-37010Shared CWE-120
CVE-2025-27832Shared CWE-120
CVE-2024-57509Shared CWE-120
CVE-2018-25302Shared CWE-120
CVE-2025-66287Shared CWE-120
CVE-2025-27833Shared CWE-120
CVE-2022-47090Shared CWE-120
CVE-2018-25301Shared CWE-120
CVE-2019-25232Shared CWE-120

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of computer name inputs to prevent buffer overflows from malicious payloads in the 'Find Computer' feature.

prevent

Implements memory protections like ASLR and DEP to mitigate arbitrary code execution from buffer overflow exploits.

prevent

Mandates timely remediation of the specific buffer overflow flaw in Frigate Professional 3.36.0.9 via patching or upgrades.

References