CVE-2020-37153

CRITICAL

ASTPP 4.0.1 - XSS, Command Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37153. PoCs published by Fabien AUNAY.

AI-analyzed exploit summary This exploit demonstrates a chained attack against ASTPP VoIP 4.0.1, starting with XSS in SIP device fields, followed by session hijacking, command injection via plugin installation, and privilege escalation to root via a misconfigured cron job. The PoC includes clear steps for achieving remote code execution and root access.

Description

ASTPP 4.0.1 contains multiple vulnerabilities including cross-site scripting and command injection in SIP device configuration and plugin management interfaces. Attackers can exploit these flaws to inject system commands, hijack administrator sessions, and potentially execute arbitrary code with root permissions through cron task manipulation.

Exploits (1)

exploitdb WORKING POC

by Fabien AUNAY · textremotelinux

https://www.exploit-db.com/exploits/47889

View Code ZIP pw:eip

This exploit demonstrates a chained attack against ASTPP VoIP 4.0.1, starting with XSS in SIP device fields, followed by session hijacking, command injection via plugin installation, and privilege escalation to root via a misconfigured cron job. The PoC includes clear steps for achieving remote code execution and root access.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ASTPP VoIP 4.0.1

Auth required

Prerequisites: Access to ASTPP admin panel · Ability to modify SIP device settings · Network access to the target system

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation T1059.004 - Unix Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/47889

Various Sources product

https://www.astppbilling.org/

Various Sources product

https://github.com/iNextrix/ASTPP

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/astpp-voip-remote-code-execution

Scores

CVSS v3 9.8

EPSS 0.0443

EPSS Percentile 90.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-79

Status published

Products (1)

inextrix/astpp 4.0.1

Published Feb 11, 2026

Tracked Since Feb 18, 2026