CVE-2020-24033

HIGH

fs.com S3900 - Auth Bypass

Title source: llm

Description

An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escalated privileges.

Exploits (2)

gitlab WORKING POC

by M0NsTeRRR · poc

https://gitlab.com/M0NsTeRRR/CVE-2020-24033

View Code ZIP pw:eip

nomisec WORKING POC

by M0NsTeRRR · poc

https://github.com/M0NsTeRRR/CVE-2020-24033

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] https://github.com/M0NsTeRRR/CVE-2020-24033

[Exploit, Third Party Advisory] https://github.com/M0NsTeRRR/S3900-24T4S-CSRF-vulnerability

Scores

CVSS v3 8.8

EPSS 0.0120

EPSS Percentile 79.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-352

Status published

Products (1)

fs/s3900_24t4s_firmware < 1.7.0

Published Oct 22, 2020

Tracked Since Feb 18, 2026