Cyber Resilience

CVE-2020-37135

CriticalPublic PoC

Published: 07 February 2026

Published
07 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0043 34.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2020-37135 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 34.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2020-37135 is an authentication bypass vulnerability in AMSS++ 4.7, classified under CWE-798 (use of hard-coded credentials). The flaw allows attackers to access administrative accounts using hardcoded default credentials, specifically the admin username and password '1234', enabling unauthorized administrative access to the system. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its network accessibility and confidentiality impact.

Remote attackers require only network access to exploit this vulnerability, with no need for prior privileges, user interaction, or complex preconditions. Successful exploitation grants full administrative access, potentially allowing attackers to view sensitive data, modify configurations, or perform other privileged actions, resulting in high confidentiality impact without integrity or availability disruption.

Advisories and references highlight the backdoor nature of the admin account, with details available at https://www.vulncheck.com/advisories/amss-backdoor-admin-account and a public exploit published at https://www.exploit-db.com/exploits/48114. No specific patch or mitigation steps are detailed in the provided information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

AMSS++ 4.7 contains an authentication bypass vulnerability that allows attackers to access administrative accounts using hardcoded credentials. Attackers can log in with the default admin username and password '1234' to gain unauthorized administrative access to the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Hardcoded default admin credentials (admin/1234) directly enable use of default accounts for initial unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26218Shared CWE-798
CVE-2026-22900Shared CWE-798
CVE-2024-51547Shared CWE-798
CVE-2024-46433Shared CWE-798
CVE-2019-25322Shared CWE-798
CVE-2026-27785Shared CWE-798
CVE-2026-24346Shared CWE-798
CVE-2026-25803Shared CWE-798
CVE-2025-33089Shared CWE-798
CVE-2026-29119Shared CWE-798

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 requires changing default authenticators prior to first use, directly preventing authentication bypass via hardcoded credentials like 'admin/1234'.

prevent

AC-2 mandates management of accounts including disabling unnecessary or default administrative accounts, blocking unauthorized access through hardcoded credentials.

prevent

CM-6 enforces secure configuration settings that prohibit default or hardcoded credentials, mitigating the vulnerability in AMSS++ administrative access.

References