CVE-2020-37104
Published: 11 February 2026
Summary
CVE-2020-37104 is a high-severity Insertion of Sensitive Information into Externally-Accessible File or Directory (CWE-538) vulnerability in Inextrix Astpp. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-14 (Public Access Protections).
Deeper analysis
ASTPP 4.0.1, a VoIP billing software, is affected by CVE-2020-37104, an information disclosure vulnerability rated at CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and mapped to CWE-538. The flaw enables unauthenticated attackers to download database backup files from the /database_backup/ directory by predicting backup filename patterns, which incorporate 6-digit PIN combinations.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no privileges required. By generating a list of possible 6-digit PINs and fuzzing the backup download URL, they can exfiltrate sensitive database information contained in the backups.
Advisories and references, including those from Vulncheck and Exploit-DB, detail the issue and provide exploit code demonstrating the attack. Security practitioners should consult the ASTPP GitHub repository and official site for any available patches or configuration guidance to mitigate exposure of the /database_backup/ directory.
A proof-of-concept exploit is publicly available on Exploit-DB, indicating potential for real-world abuse against unpatched ASTPP 4.0.1 deployments.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31179
Vulnerability details
ASTPP 4.0.1 contains an information disclosure vulnerability that allows unauthenticated attackers to download database backup files by predicting backup filename patterns. Attackers can generate a list of 6-digit PIN combinations and fuzz the backup download URL to exfiltrate sensitive database…
more
information from the /database_backup/ directory.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated exploitation of public-facing web app for DB backup file access enables T1190; resulting exfiltration of local system data enables T1005.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly limits and documents permitted actions without identification or authentication, preventing unauthenticated attackers from downloading sensitive database backup files via predictable URLs.
Provides specific protections for publicly accessible system resources and information, mitigating unauthorized access to the exposed /database_backup/ directory containing sensitive data.
Monitors and controls communications at external boundaries, blocking unauthenticated remote access and fuzzing attempts against predictable backup filenames in the web directory.