Cyber Resilience

CVE-2020-37078

HighPublic PoC

Published: 03 February 2026

Published
03 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 24.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37078 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Sourceforge (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 24.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2020-37078 is a file deletion vulnerability in the import module of i-doit Open Source CMDB version 1.14.1. It enables authenticated attackers to delete arbitrary files from the server's filesystem by manipulating the delete_import parameter in a POST request to the import module, using a crafted filename. The issue is classified under CWE-73 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and without requiring user interaction. By sending a specially crafted POST request, the attacker can target and remove any file accessible to the web server process, potentially leading to high impacts on confidentiality, integrity, and availability, such as disrupting critical CMDB operations or enabling further compromise through file system manipulation.

Advisories and related resources, including those from VulnCheck and an Exploit-DB proof-of-concept (ID 48427), document the vulnerability, while official i-doit sites provide project details. No specific patch or mitigation steps are detailed in the available information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the delete_import parameter. Attackers can send a POST request to the import module with a crafted…

more

filename to remove files from the server's filesystem.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Direct arbitrary file deletion capability maps precisely to File Deletion sub-technique under Indicator Removal.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3892Shared CWE-73
CVE-2024-12267Shared CWE-73
CVE-2025-9048Shared CWE-73
CVE-2025-66254Shared CWE-73
CVE-2025-10058Shared CWE-73
CVE-2026-5809Shared CWE-73
CVE-2025-13322Shared CWE-73
CVE-2026-23898Shared CWE-73
CVE-2025-10494Shared CWE-73
CVE-2025-12529Shared CWE-73

Affected Assets

Sourceforge
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of the delete_import parameter to block crafted filenames enabling arbitrary file deletion in the import module.

prevent

Enforces approved access authorizations to prevent authenticated low-privilege users from deleting arbitrary files accessible to the web server process.

prevent

Restricts and authorizes access to change operations like file deletions performed via the import module.

References