Cyber Resilience

CVE-2020-37117

HighPublic PoC

Published: 05 February 2026

Published
05 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0069 47.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37117 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Jizhicms Jizhicms. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 47.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2020-37117 is an arbitrary file download vulnerability in jizhiCMS version 1.6.7. The flaw exists in the admin plugins update endpoint, which allows authenticated administrators to download arbitrary files on the server. Exploitation involves sending crafted POST requests with malicious "filepath" and "download_url" parameters to trigger unauthorized file downloads. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434.

An attacker with authenticated administrator privileges (low privileges required) can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By crafting and sending the malicious POST requests to the affected endpoint, the attacker can download any arbitrary file from the server, potentially exposing sensitive configuration files, user data, or other critical information. The high impact on confidentiality, integrity, and availability underscores the risk of data exfiltration or further compromise.

Advisories from VulnCheck (vulncheck.com/advisories/jizhicms-arbitrary-file-download) and a proof-of-concept exploit on Exploit-DB (exploit-db.com/exploits/48361) detail the vulnerability and exploitation methods. The vendor site (jizhicms.cn) is referenced for additional context, though specific patch information is not detailed in available sources.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted POST requests with malicious filepath and download_url parameters to trigger unauthorized…

more

file downloads.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Arbitrary file download in admin endpoint directly enables T1005 for retrieving local system data (e.g., configs, credentials); remote exploitation of the CMS web app maps to T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25784Same product: Jizhicms Jizhicms
CVE-2025-50229Same product: Jizhicms Jizhicms
CVE-2025-70397Same product: Jizhicms Jizhicms
CVE-2026-3292Same product: Jizhicms Jizhicms
CVE-2025-50228Same product: Jizhicms Jizhicms
CVE-2025-25785Same product: Jizhicms Jizhicms
CVE-2024-8958Shared CWE-434
CVE-2025-57795Shared CWE-434
CVE-2025-12352Shared CWE-434
CVE-2026-1730Shared CWE-434

Affected Assets

jizhicms
jizhicms
1.6.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to restrict authenticated administrators from accessing arbitrary files via the plugins update endpoint.

prevent

Validates crafted filepath and download_url parameters to block unauthorized arbitrary file download requests.

prevent

Limits administrator privileges to only necessary file access, mitigating risks from excessive permissions enabling arbitrary downloads.

References