CVE-2020-24033

HIGH

fs.com S3900 24T4S < 1.7.0 - Cross-Site Request Forgery

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-24033. PoCs published by M0NsTeRRR.

AI-analyzed exploit summary This repository contains a functional CSRF exploit for CVE-2020-24033, targeting FS.com S3900 24T4S devices. The PoC demonstrates how an attacker can add a new admin user via a crafted HTML form due to missing CSRF protections.

Description

An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escalated privileges.

Exploits (2)

gitlab WORKING POC
by M0NsTeRRR · poc
https://gitlab.com/M0NsTeRRR/CVE-2020-24033

This repository contains a functional CSRF exploit for CVE-2020-24033, targeting FS.com S3900 24T4S devices. The PoC demonstrates how an attacker can add a new admin user via a crafted HTML form due to missing CSRF protections.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: FS.com S3900 24T4S (versions up to 1.7.1)
No auth needed
Prerequisites: Victim must visit a malicious webpage while authenticated to the target device
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by M0NsTeRRR · poc
https://github.com/M0NsTeRRR/CVE-2020-24033

This PoC demonstrates a CSRF vulnerability in FS.com S3900 24T4S (1.7.1 and earlier) that allows an attacker to add a new admin user without authentication. The exploit leverages a lack of CSRF tokens in the user account creation form.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: FS.com S3900 24T4S (1.7.1 and earlier)
No auth needed
Prerequisites: Victim must be authenticated to the target device · Attacker must trick victim into visiting a malicious page
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/M0NsTeRRR/S3900-24T4S-CSRF-vulnerability
Exploit, Third Party Advisory x_refsource_misc
https://github.com/M0NsTeRRR/CVE-2020-24033

Scores

CVSS v3 8.8
EPSS 0.0097
EPSS Percentile 57.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (1)
fs/s3900_24t4s_firmware < 1.7.0
Published Oct 22, 2020
Tracked Since Feb 18, 2026