CVE-2020-8657
Published: 06 February 2020
Summary
CVE-2020-8657 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Eyesofnetwork Eyesofnetwork. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Deeper analysis
EyesOfNetwork version 5.3 contains a hardcoded API key stored as EONAPI_KEY in include/api_functions.php for API version 2.4.2. The same key is deployed by default across all installations, enabling calculation or guessing of administrative access tokens. This corresponds to CWE-798 and carries a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can derive a valid admin token and obtain full control over the EyesOfNetwork instance. Successful exploitation grants the ability to execute arbitrary commands, as demonstrated by public proof-of-concept material targeting the AutoDiscovery component.
Public references, including a GitHub issue and PacketStorm advisories, document the hardcoded credential and provide exploitation details. The vulnerability is also catalogued in CISA's Known Exploited Vulnerabilities list, confirming observed in-the-wild use. No vendor-supplied patch or configuration change is referenced in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-29505
Vulnerability details
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prohibits embedding and reusing the same static API key across installations, eliminating the predictable admin token that enables unauthenticated remote access.
Enforces access decisions based on validated credentials rather than a universally known hardcoded key, blocking the attacker from obtaining admin rights via the exposed token.
Requires unique, non-guessable identification and authentication for all users before granting API access, mitigating the CWE-798 credential exposure.