Cyber Posture

CVE-2020-37138

CriticalPublic PoC

Published: 05 February 2026

Published
05 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 16.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-37138 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in 10 Strike (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely patching or upgrading of 10-Strike Network Inventory Explorer to remediate the specific stack-based buffer overflow in file import functionality.

SI-10 Information Input Validation good match
prevent

SI-10 enforces validation of imported text files to prevent oversized or malformed payloads from triggering the buffer overflow.

SI-16 Memory Protection partial match
prevent

SI-16 provides memory safeguards like ASLR and stack canaries to hinder arbitrary code execution from the stack-based buffer overflow, despite ROP chain bypass of DEP.

NVD Description

10-Strike Network Inventory Explorer 9.03 contains a buffer overflow vulnerability in the file import functionality that allows remote attackers to execute arbitrary code. Attackers can craft a malicious text file with carefully constructed payload to trigger a stack-based buffer overflow…

more

and bypass data execution prevention through a ROP chain.

Deeper analysisAI

CVE-2020-37138 is a stack-based buffer overflow vulnerability (CWE-121) affecting 10-Strike Network Inventory Explorer version 9.03, specifically in its file import functionality. The flaw enables remote attackers to execute arbitrary code by crafting a malicious text file with a carefully constructed payload that triggers the overflow and bypasses data execution prevention via a ROP chain.

Remote unauthenticated attackers can exploit this vulnerability over the network (AV:N/AC:L/PR:N/UI:N/S:U), requiring no privileges or user interaction. Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), earning a CVSS v3.1 base score of 9.8.

Advisories and references, including a detailed analysis from VulnCheck and a public proof-of-concept exploit on Exploit-DB (ID 48264), are available alongside vendor pages at 10-strike.com and the product site at 10-strike.com/networkinventoryexplorer/. The vulnerability was published on 2026-02-05.

Details

CWE(s)
CWE-121

Affected Products

10 Strike
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-70219Shared CWE-121
CVE-2026-29972Shared CWE-121
CVE-2025-60690Shared CWE-121
CVE-2026-4444Shared CWE-121
CVE-2025-61128Shared CWE-121
CVE-2019-25319Shared CWE-121
CVE-2026-22923Shared CWE-121
CVE-2025-69195Shared CWE-121
CVE-2020-37124Shared CWE-121
CVE-2026-22904Shared CWE-121

References