CVE-2020-10546

CRITICAL EXPLOITED NUCLEI

rConfig <3.9.4 - SQL Injection

Title source: llm

Description

rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

Nuclei Templates (1)

rConfig 3.9.4 - SQL Injection

CRITICALby madrobot

Shodan: http.title:"rconfig"

FOFA: title="rconfig"

References (2)

[Exploit, Third Party Advisory] https://github.com/theguly/exploits/blob/master/CVE-2020-10546.py

View Exploit ZIP pw:eip

[Exploit, Third Party Advisory] https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/

Scores

CVSS v3 9.8

EPSS 0.9235

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2023-11-13

CWE

CWE-89

Status published

Products (1)

rconfig/rconfig < 3.9.4

Published Jun 04, 2020

Tracked Since Feb 18, 2026