CVE-2020-9020
CRITICAL EXPLOITED IN THE WILDIteris Vantage Velocity Firmware 2.3.1, 2.4.2, 3.0 - OS Command Injection via NTP Server Field
Title source: llmExploitation Summary
CVE-2020-9020 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io).
Description
Iteris Vantage Velocity Field Unit 2.3.1, 2.4.2, and 3.0 devices allow the injection of OS commands into cgi-bin/timeconfig.py via shell metacharacters in the NTP Server field.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://sku11army.blogspot.com/2020/01/iteris-vantage-velocity-field-unit-os.html
Scores
CVSS v3
9.8
EPSS
0.0247
EPSS Percentile
82.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2021-03-03
InTheWild.io
2021-03-17
CWE
CWE-78
Status
published
Products (3)
iteris/vantage_velocity_firmware
2.3.1
iteris/vantage_velocity_firmware
2.4.2
iteris/vantage_velocity_firmware
3.0
Published
Feb 17, 2020
Tracked Since
Feb 18, 2026