CVE-2020-35729
CVE-2020-35729
Vexday Risk Score
60Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Functional exploit
Popular PoC on GitHub (5 stars) — exploitation code widely available.
CVSS —EPSS 88.0%KEV nãoPoC públicaNuclei simMetasploit simPatch —
Lifecycle
27 Dec 2020Metasploit module available
27 Dec 2020Published on NVD
05 Jan 2021Public PoC
Weaponization speed
9 daysto first PoC
same dayto Metasploit module
Weaponized quickly — attackers prioritized this vulnerability. Patch urgently.
Recommendation: Plan a near-term fix — a public PoC already exists.
KLog Server 2.4.1 allows OS command injection via shell metacharacters in the actions/authenticate.php user parameter.
Affected products
n/a · n/apublic PoCs found — 6
githubgithub.com/Al1ex/CVE-2020-35729★ 5cve_referencepacketstormsecurity.com/files/160798/Klog-Server-2.4.1-Command-Injection.htmlunverifiedcve_referencepacketstormsecurity.com/files/161123/Klog-Server-2.4.1-Command-Injection.htmlunverifiedcve_referencepacketstormsecurity.com/files/161410/Klog-Server-2.4.1-Command-Injection.htmlunverifiedexploitdbwww.exploit-db.com/exploits/49366unverifiedexploitdbwww.exploit-db.com/exploits/49474unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
References
http://packetstormsecurity.com/files/160798/Klog-Server-2.4.1-Command-Injection.htmlhttp://packetstormsecurity.com/files/161123/Klog-Server-2.4.1-Command-Injection.htmlhttp://packetstormsecurity.com/files/161410/Klog-Server-2.4.1-Command-Injection.htmlhttps://github.com/mustgundogdu/Research/blob/main/KLOG_SERVER/Exploit_Codehttps://github.com/mustgundogdu/Research/blob/main/KLOG_SERVER/README.md