CVE-2020-7388

CRITICAL

Sage X3 AdxAdmin < 93.2.53 - Unauthenticated Remote Command Execution via AdxDSrv.exe Authentication Bypass

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-7388. PoCs published by ac3lives, including Metasploit module exploits/windows/sage/x3_adxsrv_auth_bypass_cmd_exec.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2020-7388, an unauthenticated RCE vulnerability in Sage X3's AdxDSrv service. The exploit leverages a custom protocol to execute arbitrary commands as SYSTEM by crafting specific byte streams.

Description

Sage X3 Unauthenticated Remote Command Execution (RCE) as SYSTEM in AdxDSrv.exe component. By editing the client side authentication request, an attacker can bypass credential validation. While exploiting this does require knowledge of the installation path, that information can be learned by exploiting CVE-2020-7387. This issue was fixed in AdxAdmin 93.2.53, which ships with updates for on-premises versions of Sage X3 including Version 9 (components shipped with Syracuse 9.22.7.2 and later), Sage X3 HR & Payroll Version 9 (those components that ship with Syracuse 9.24.1.3), Version 11 (components shipped with Syracuse 11.25.2.6 and later), and Version 12 (components shipped with Syracuse 12.10.2.8 and later) of Sage X3. Other on-premises versions of Sage X3 are unsupported by the vendor.

Exploits (2)

nomisec WORKING POC 1 stars

by ac3lives · poc

https://github.com/ac3lives/sagex3-cve-2020-7388-poc

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2020-7388, an unauthenticated RCE vulnerability in Sage X3's AdxDSrv service. The exploit leverages a custom protocol to execute arbitrary commands as SYSTEM by crafting specific byte streams.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Sage X3 AdxDSrv service (AdxAdmin component)

No auth needed

Prerequisites: Network access to TCP port 1818 (or custom port) on the target Sage X3 server

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC GOOD

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/sage/x3_adxsrv_auth_bypass_cmd_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an authentication bypass in Sage X3 AdxSrv's administration protocol to execute arbitrary commands as SYSTEM. It leverages CVE-2020-7388 to write and execute payloads (commands, DLLs, or executables) on the target system.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Sage X3 AdxSrv (AdxAdmin service)

No auth needed

Prerequisites: Network access to port 1818 · AdxAdmin service running on target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 24, 2026 Full analysis →

References (3)

Core 3

Core References

Broken Link x_refsource_misc

https://rapid7.com/blog/post/2021/07/07/sage-x3-multiple-vulnerabilities-fixed

Patch, Vendor Advisory x_refsource_confirm

https://www.sagecity.com/gb/sage-x3-uk/f/sage-x3-uk-announcements-news-and-alerts/147993/sage-x3-latest-patches

Exploit, Third Party Advisory

https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/

Scores

CVSS v3 10.0

EPSS 0.6880

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Details

CWE

CWE-290

Status published

Products (1)

sage/adxadmin < 93.2.53

Published Jul 22, 2021

Tracked Since Feb 18, 2026