CVE-2020-29574

CVSS 9.8 CRITICALEPSS 4.7%● KEVCWE-89

Vexday Risk Score

58Attention

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 9.8EPSS 4.7%KEV simPoC —Nuclei —Metasploit —Patch —

Lifecycle

11 Dec 2020Published on NVD

06 Feb 2025Active exploitation (CISA KEV)

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

An attacker can inject malicious SQL commands into the WebAdmin interface of Cyberoam OS without needing a password, allowing them to steal or manipulate all data in the database.

Technical detail

SQL injection vulnerability in Cyberoam OS WebAdmin accepts unsanitized user input in SQL queries, enabling unauthenticated remote attackers to execute arbitrary SQL statements with database privileges. Attack vector is network-based with no authentication required, leading to complete confidentiality, integrity, and availability compromise.

Summary generated and translated by AI from the official description.

An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.bleepingcomputer.com/news/security/sophos-fixes-sql-injection-vulnerability-in-their-cyberoam-os/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-29574 https://www.cyberoam.com/ngfw.html