CVE-2020-37135
Published: 07 February 2026
Summary
CVE-2020-37135 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Enables users to notice when hard-coded credentials have been exploited for unauthorized access.
Security training explicitly warns against hard-coded credentials, lowering their use in systems.
Policy and procedures prohibit hard-coded credentials in favor of managed authentication.
External identity providers eliminate the need for hard-coded credentials in applications.
Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.
Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code.
Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.
Planned investment enables secure credential storage and management systems instead of hard-coded credentials.
NVD Description
AMSS++ 4.7 contains an authentication bypass vulnerability that allows attackers to access administrative accounts using hardcoded credentials. Attackers can log in with the default admin username and password '1234' to gain unauthorized administrative access to the system.
Deeper analysisAI
CVE-2020-37135 is an authentication bypass vulnerability in AMSS++ 4.7, classified under CWE-798 (use of hard-coded credentials). The flaw allows attackers to access administrative accounts using hardcoded default credentials, specifically the admin username and password '1234', enabling unauthorized administrative access to the system. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its network accessibility and confidentiality impact.
Remote attackers require only network access to exploit this vulnerability, with no need for prior privileges, user interaction, or complex preconditions. Successful exploitation grants full administrative access, potentially allowing attackers to view sensitive data, modify configurations, or perform other privileged actions, resulting in high confidentiality impact without integrity or availability disruption.
Advisories and references highlight the backdoor nature of the admin account, with details available at https://www.vulncheck.com/advisories/amss-backdoor-admin-account and a public exploit published at https://www.exploit-db.com/exploits/48114. No specific patch or mitigation steps are detailed in the provided information.
Details
- CWE(s)