CVE-2020-37092
Published: 03 February 2026
Summary
CVE-2020-37092 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Netis Systems (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2020-37092 is a hardcoded root account vulnerability (CWE-798) in the Netis E1+ network device, specifically version 1.2.32533. This flaw embeds a root account with predefined credentials, enabling unauthorized access without authentication. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting its high severity due to network accessibility, low attack complexity, and significant confidentiality impact.
Unauthenticated remote attackers can exploit this vulnerability by leveraging the embedded root account and its crackable password. Successful exploitation grants full administrative access to the affected network device, potentially allowing attackers to control device functions, extract sensitive configuration data, or pivot to other network resources.
Advisories and related resources include the vendor site at http://www.netis-systems.com, an Exploit-DB entry at https://www.exploit-db.com/exploits/48382 detailing a public exploit, and a Vulncheck advisory at https://www.vulncheck.com/advisories/netis-e-backdoor-account-root focused on the backdoor root account. These references provide additional technical details that security practitioners should consult for mitigation guidance or patch availability.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31003
Vulnerability details
Netis E1+ version 1.2.32533 contains a hardcoded root account vulnerability that allows unauthenticated attackers to access the device with predefined credentials. Attackers can leverage the embedded root account with a crackable password to gain full administrative access to the network…
more
device.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded root credentials directly enable use of default/valid accounts for remote device access (T1078.001) and external remote services exploitation (T1133).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires changing default authenticators prior to first use and ensuring sufficient strength, addressing the hardcoded root account with crackable password.
Mandates management and disabling of unnecessary accounts, preventing exploitation of the embedded root account.
Requires timely identification, reporting, and remediation of flaws like this hardcoded credentials vulnerability through patching.