CVE-2020-37168

CRITICAL

Ecommerce Systempay 1.0 Production Key Brute Force

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37168. PoCs published by live3.

AI-analyzed exploit summary This PHP script performs a brute-force attack to recover the production key used by Ecommerce Systempay for signature validation. It reconstructs the signature from intercepted POST data and iterates through possible keys to find a match.

Description

Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the payment endpoint, then use SHA1 hash comparison to iteratively test key candidates until discovering the correct production key, enabling them to forge valid payment signatures and manipulate transaction amounts.

Exploits (1)

exploitdb WORKING POC

by live3 · phpwebappsphp

https://www.exploit-db.com/exploits/48017

View Code ZIP pw:eip

This PHP script performs a brute-force attack to recover the production key used by Ecommerce Systempay for signature validation. It reconstructs the signature from intercepted POST data and iterates through possible keys to find a match.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Ecommerce Systempay 1.0

No auth needed

Prerequisites: Intercepted POST data from a Systempay payment form · SHA1-signed signature for validation

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 13, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-48017

https://www.exploit-db.com/exploits/48017

Product product

Official Product Homepage

https://paiement.systempay.fr/doc/fr-FR/

Product product

Product Reference

https://paiement.systempay.fr/doc/fr-FR/module-de-paiement-gratuit/

Third Party Advisory third-party-advisory

VulnCheck Advisory: Ecommerce Systempay 1.0 Production Key Brute Force

https://www.vulncheck.com/advisories/ecommerce-systempay-production-key-brute-force

Scores

CVSS v3 9.8

EPSS 0.0025

EPSS Percentile 15.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-328

Status published

Products (1)

Paiement/Ecommerce Systempay 1.0

Published May 13, 2026

Tracked Since May 13, 2026