CVE-2020-25068

moderate-risk

Published 2020-09-03

Setelsa Conacwin v3.7.1.2 is vulnerable to a local file inclusion vulnerability. This vulnerability allows a remote unauthenticated attacker to read internal files on the server via an http:IP:PORT/../../path/file_to_disclose Directory Traversal URI. NOTE: The manufacturer indicated that the affected version does not exist. Furthermore, they indicated that they detected this problem in an internal audit more than 3 years ago and fixed it in 2017.

Do I need to act?

15.2% chance of exploitation in next 30 days

EPSS score — higher than 85% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (1)

Conacwin

Affected Vendors

Setelsa-Security

References (6)

Vendor Advisory http://setelsa-security.es/productos/control-de-acceso/

Third Party Advisory https://github.com/bryanroma/CVE-2020-25068

Exploit https://www.youtube.com/watch?v=CLAHE0qUHXs

Vendor Advisory http://setelsa-security.es/productos/control-de-acceso/

Third Party Advisory https://github.com/bryanroma/CVE-2020-25068

Exploit https://www.youtube.com/watch?v=CLAHE0qUHXs

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 13/34 · Low

Exposure 5/34 · Minimal