CVE-2020-5777

CRITICAL NUCLEI

MAGMI <0.7.24 - Auth Bypass

Title source: llm

Description

MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. A remote attacker can trigger this connection failure if the Mysql setting max_connections (default 151) is lower than Apache (or another web server) setting MaxRequestWorkers (formerly MaxClients) (default 256). This can be done by sending at least 151 simultaneous requests to the Magento website to trigger a "Too many connections" error, then use default magmi:magmi basic authentication to remotely bypass authentication.

Nuclei Templates (1)

Magento Mass Importer <0.7.24 - Remote Auth Bypass

CRITICALby dwisiswant0

Shodan: http.component:"Magento" || http.component:"magento"

References (1)

[Third Party Advisory] https://www.tenable.com/security/research/tra-2020-51

Scores

CVSS v3 9.8

EPSS 0.9147

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-287

Status published

Products (2)

dweeves/magmi 0 - 0.7.24Packagist

magmi_project/magmi < 0.7.24

Published Sep 01, 2020

Tracked Since Feb 18, 2026