CVE-2020-26155

HIGH

Utimaco Block-safe Firmware < 4.31.0 - Uncontrolled Search Path

Title source: rule

Description

Multiple files and folders in Utimaco SecurityServer 4.20.0.4 and 4.31.1.0. are installed with Read/Write permissions for authenticated users, which allows for binaries to be manipulated by non-administrator users. Additionally, entries are made to the PATH environment variable which, in conjunction with these weak permissions, could enable an attacker to perform a DLL hijacking attack.

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_misc

https://hsm.utimaco.com/products-hardware-security-modules/general-purpose-hsm/

Third Party Advisory x_refsource_misc

https://secureyourit.co.uk/wp/2021/03/13/utimaco-cve-2020-26155/

Scores

CVSS v3 7.8

EPSS 0.0004

EPSS Percentile 12.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-427 CWE-732

Status published

Products (8)

utimaco/block-safe_firmware 2.0.0

utimaco/block-safe_firmware 3.0.0

utimaco/cryptoserver_cp5_firmware 5.0.0.0

utimaco/cryptoserver_cp5_firmware 5.1.0.0

utimaco/cryptoserver_cp5_vs-nfd_firmware 5.1.0.0

utimaco/paymentserver_firmware 3.0 - 4.31.0

utimaco/paymentserver_hybrid_firmware 3.0 - 4.33.0

utimaco/securityserver_firmware 3.0 - 4.31.1

Published Mar 18, 2021

Tracked Since Feb 18, 2026