CVE-2020-37002

CRITICAL

Ajenti 2.1.36 - Authenticated Remote Code Execution via Terminal API

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37002. PoCs published by Ahmet Ümit BAYRAM.

AI-analyzed exploit summary This Python script exploits an authenticated remote command execution vulnerability in a web application by sending a crafted API request to execute a reverse shell via netcat. It first authenticates with provided credentials, then sends a payload to the terminal creation endpoint.

Description

Ajenti 2.1.36 contains a post-authenticated remote command execution vulnerability that allows remote attackers to execute arbitrary commands after successful login. Attackers can leverage the /api/terminal/create endpoint to send a netcat reverse shell payload targeting a specified IP and port.

Exploits (1)

exploitdb WORKING POC

by Ahmet Ümit BAYRAM · pythonwebappspython

https://www.exploit-db.com/exploits/48929

View Code ZIP pw:eip

This Python script exploits an authenticated remote command execution vulnerability in a web application by sending a crafted API request to execute a reverse shell via netcat. It first authenticates with provided credentials, then sends a payload to the terminal creation endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Unknown (likely a web application with a terminal API endpoint)

Auth required

Prerequisites: Valid credentials for the target application · Network access to the target · Listener set up on attacker's machine

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/48929

Various Sources product

https://github.com/ajenti/ajenti

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/ajenti-remote-code-execution

Scores

CVSS v3 9.8

EPSS 0.0065

EPSS Percentile 46.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

Ajenti Project/Ajenti 2.1.36

Published Jan 29, 2026

Tracked Since Feb 18, 2026