CVE-2020-10549

CRITICAL NUCLEI

rConfig <3.9.4 - SQL Injection

Title source: llm

Description

rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

Nuclei Templates (1)

rConfig <=3.9.4 - SQL Injection

CRITICALby madrobot

Shodan: http.title:"rconfig"

FOFA: title="rconfig"

References (2)

[Exploit, Third Party Advisory] https://github.com/theguly/exploits/blob/master/CVE-2020-10549.py

View Exploit ZIP pw:eip

[Exploit, Third Party Advisory] https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/

Scores

CVSS v3 9.8

EPSS 0.9299

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

rconfig/rconfig < 3.9.4

Published Jun 04, 2020

Tracked Since Feb 18, 2026