CVE-2020-10547

CRITICAL NUCLEI

rConfig <3.9.4 - SQL Injection

Title source: llm

Description

rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

Nuclei Templates (1)

rConfig 3.9.4 - SQL Injection
CRITICALby madrobot
Shodan: http.title:"rconfig"
FOFA: title="rconfig"

References (2)

Scores

CVSS v3 9.8
EPSS 0.9212
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
rconfig/rconfig < 3.9.4
Published Jun 04, 2020
Tracked Since Feb 18, 2026