Cayin CMS Remote Command Injection via system.cgi (ZSL-2020-5570)

Key Information Vulnerability Title Title: Cayin Content Management Server 11.0 Root Remote Command Injection Vulnerability Details Advisory ID: ZSL-2020-5570 Type: Local/Remote Impact: System Access, DoS Risk: 4/5 Release Date: 04.06.2020 Vulnerability Overview Summary: CAYIN CMS is vulnerable to an OS semi-blind command injection exploit via default credentials. Attackers can inject and execute arbitrary shell commands through the "NTP_Server_IP" HTTP POST parameter in the system.cgi page, running with root privileges. Affected Versions CMS-SE v11.0 Build 19179 CMS-SE v11.0 Build 19025 CMS-SE v11.0 Build 18325 CMS Station (CMS-SE-LXC) CMS-60 v11.0 Build 19025 CMS-40 v9.0 Build 14197 CMS-40 v9.0 Build 14099 CMS-40 v9.0 Build 14093 CMS-20 v9.0 Build 14197 CMS-20 v9.0 Build 14092 CMS v8.2 Build 12199 CMS v8.0 Build 11175 CMS v7.5 Build 11175 Test Environment Apache/1.3.42 (Unix) Vendor Status 15.05.2020: Vulnerability discovered 23.05.2020: Vendor contacted 25.05.2020: Vendor requested more details 25.05.2020: Detailed information sent to vendor 04.06.2020: No response from vendor 04.06.2020: Security advisory publicly released PoC cayin_cms.txt Discoverer Gjoko Krstic - References exploit-db.com packetstormsecurity.com exchange.xforce.ibmcloud.com cxsecurity.com blog.rapid7.com github.com/rapid7 cve.mitre.org Change Log 04.06.2020: Initial release 05.06.2020: Added references [1], [2], and [3] 22.06.2020: Added references [4], [5], [6], [7], [8], and [9] 03.07.2020: Added reference [10]

Goal Reached Thanks to every supporter — we hit 100%!

Cayin CMS Remote Command Injection via system.cgi (ZSL-2020-5570)