CVE-2020-11896

CRITICAL

Treck TCP/IP < 6.0.1.66 - Remote Code Execution via IPv4 Tunneling

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-11896. PoCs published by Fans0n-Fan, 0xkol.

AI-analyzed exploit summary This repository contains a scanner for detecting devices using the Treck TCP/IP stack by sending custom ICMP packets (type 0xa5) and checking for specific responses. It also includes a PoC for CVE-2020-11896, which sends malformed UDP packets to trigger a potential vulnerability.

Description

The Treck TCP/IP stack before 6.0.1.66 allows Remote Code Execution, related to IPv4 tunneling.

Exploits (2)

nomisec SCANNER 10 stars

by Fans0n-Fan · poc

https://github.com/Fans0n-Fan/Treck20-Related

View Code ZIP pw:eip

This repository contains a scanner for detecting devices using the Treck TCP/IP stack by sending custom ICMP packets (type 0xa5) and checking for specific responses. It also includes a PoC for CVE-2020-11896, which sends malformed UDP packets to trigger a potential vulnerability.

Classification

Scanner 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Theoretical

Target: Treck TCP/IP stack

No auth needed

Prerequisites: Network access to target device · Scapy library installed

MITRE ATT&CK

T1498 - Network Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 8 stars

by 0xkol · poc

https://github.com/0xkol/ripple20-digi-connect-exploit

View Code ZIP pw:eip

This is a functional PoC exploit for CVE-2020-11896, targeting a heap-based buffer overflow in the Treck TCP/IP stack (Ripple20) on Digi Connect ME 9210 devices. It achieves remote code execution via a multi-stage attack involving ICMP and UDP packet manipulation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Digi Connect ME 9210 running NET+OS 7.5

No auth needed

Prerequisites: Network access to the target device · Treck TCP/IP stack vulnerability presence

MITRE ATT&CK