Cyber Resilience

CVE-2020-37104

HighPublic PoC

Published: 11 February 2026

Published
11 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0056 42.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37104 is a high-severity Insertion of Sensitive Information into Externally-Accessible File or Directory (CWE-538) vulnerability in Inextrix Astpp. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-14 (Public Access Protections).

Deeper analysis

ASTPP 4.0.1, a VoIP billing software, is affected by CVE-2020-37104, an information disclosure vulnerability rated at CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and mapped to CWE-538. The flaw enables unauthenticated attackers to download database backup files from the /database_backup/ directory by predicting backup filename patterns, which incorporate 6-digit PIN combinations.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no privileges required. By generating a list of possible 6-digit PINs and fuzzing the backup download URL, they can exfiltrate sensitive database information contained in the backups.

Advisories and references, including those from Vulncheck and Exploit-DB, detail the issue and provide exploit code demonstrating the attack. Security practitioners should consult the ASTPP GitHub repository and official site for any available patches or configuration guidance to mitigate exposure of the /database_backup/ directory.

A proof-of-concept exploit is publicly available on Exploit-DB, indicating potential for real-world abuse against unpatched ASTPP 4.0.1 deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ASTPP 4.0.1 contains an information disclosure vulnerability that allows unauthenticated attackers to download database backup files by predicting backup filename patterns. Attackers can generate a list of 6-digit PIN combinations and fuzz the backup download URL to exfiltrate sensitive database…

more

information from the /database_backup/ directory.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Direct unauthenticated exploitation of public-facing web app for DB backup file access enables T1190; resulting exfiltration of local system data enables T1005.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-37153Same product: Inextrix Astpp
CVE-2023-54346Shared CWE-538
CVE-2025-12059Shared CWE-538
CVE-2026-27173Shared CWE-538
CVE-2016-20024Shared CWE-538
CVE-2026-23838Shared CWE-538
CVE-2019-25706Shared CWE-538
CVE-2026-21672Shared CWE-538
CVE-2026-49298Shared CWE-538
CVE-2025-11079Shared CWE-538

Affected Assets

inextrix
astpp
4.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly limits and documents permitted actions without identification or authentication, preventing unauthenticated attackers from downloading sensitive database backup files via predictable URLs.

prevent

Provides specific protections for publicly accessible system resources and information, mitigating unauthorized access to the exposed /database_backup/ directory containing sensitive data.

prevent

Monitors and controls communications at external boundaries, blocking unauthenticated remote access and fuzzing attempts against predictable backup filenames in the web directory.

References