CVE-2020-37135
Published: 07 February 2026
Summary
CVE-2020-37135 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 34.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2020-37135 is an authentication bypass vulnerability in AMSS++ 4.7, classified under CWE-798 (use of hard-coded credentials). The flaw allows attackers to access administrative accounts using hardcoded default credentials, specifically the admin username and password '1234', enabling unauthorized administrative access to the system. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its network accessibility and confidentiality impact.
Remote attackers require only network access to exploit this vulnerability, with no need for prior privileges, user interaction, or complex preconditions. Successful exploitation grants full administrative access, potentially allowing attackers to view sensitive data, modify configurations, or perform other privileged actions, resulting in high confidentiality impact without integrity or availability disruption.
Advisories and references highlight the backdoor nature of the admin account, with details available at https://www.vulncheck.com/advisories/amss-backdoor-admin-account and a public exploit published at https://www.exploit-db.com/exploits/48114. No specific patch or mitigation steps are detailed in the provided information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31104
Vulnerability details
AMSS++ 4.7 contains an authentication bypass vulnerability that allows attackers to access administrative accounts using hardcoded credentials. Attackers can log in with the default admin username and password '1234' to gain unauthorized administrative access to the system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded default admin credentials (admin/1234) directly enable use of default accounts for initial unauthorized access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 requires changing default authenticators prior to first use, directly preventing authentication bypass via hardcoded credentials like 'admin/1234'.
AC-2 mandates management of accounts including disabling unnecessary or default administrative accounts, blocking unauthorized access through hardcoded credentials.
CM-6 enforces secure configuration settings that prohibit default or hardcoded credentials, mitigating the vulnerability in AMSS++ administrative access.