CVE-2020-13658 – This CSRF vulnerability in Lansweeper allows lo... (How to Fix)

Q: What is the severity of CVE-2020-13658?

CVE-2020-13658 has a CVSS score of 8.0 (HIGH). This CSRF vulnerability in Lansweeper allows low-level authenticated users to escalate their privileges by tricking administrators into performing unintended actions. It affects Lansweeper web console users who have access to the application interface. Attackers can exploit this to gain administrative control over the Lansweeper system.

📋 TL;DR

This CSRF vulnerability in Lansweeper allows low-level authenticated users to escalate their privileges by tricking administrators into performing unintended actions. It affects Lansweeper web console users who have access to the application interface. Attackers can exploit this to gain administrative control over the Lansweeper system.

💻 Affected Systems

Products:

Lansweeper

Versions: 8.0.130.17 and likely earlier versions

Operating Systems: Windows (primary deployment platform)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects web console interface of Lansweeper. Requires authenticated low-level user access to initiate attack.

📦 What is this software?

Lansweeper by Lansweeper

View all CVEs affecting Lansweeper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Lansweeper system with attacker gaining administrative privileges, allowing them to modify configurations, access sensitive asset data, and potentially pivot to other systems.

🟠

Likely Case

Privilege escalation within Lansweeper allowing unauthorized access to sensitive asset information and system configuration.

🟢

If Mitigated

Limited impact with proper CSRF protections and user awareness training in place.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires authenticated access, internet-facing Lansweeper instances increase attack surface.

🏢 Internal Only: HIGH - Internal attackers with low-level access can escalate privileges to compromise the entire Lansweeper deployment.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated low-level user and ability to trick administrator into clicking malicious link. Technical advisory provides detailed exploitation methodology.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.0.130.18 or later

Vendor Advisory: https://www.lansweeper.com/knowledgebase/security-update-for-lansweeper-8-0/

Restart Required: Yes

Instructions:

1. Download latest Lansweeper version from vendor portal. 2. Backup current installation. 3. Run installer to upgrade. 4. Restart Lansweeper services. 5. Verify version shows 8.0.130.18 or higher.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add anti-CSRF tokens to all state-changing requests in Lansweeper web interface

Requires custom development - implement unique tokens per session for all POST/PUT/DELETE requests

Restrict User Permissions

all

Minimize number of low-level users and implement strict role-based access control

Review and reduce user permissions in Lansweeper administration console

🧯 If You Can't Patch

Implement network segmentation to isolate Lansweeper server from general user access
Enable detailed logging and monitoring for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Lansweeper version in web console admin panel or via Help > About. Version 8.0.130.17 or earlier is vulnerable.

Check Version:

In Lansweeper web console: Navigate to Help > About or check server installation directory properties.

Verify Fix Applied:

Verify version shows 8.0.130.18 or later. Test CSRF protection by attempting to modify user privileges without proper tokens.

📡 Detection & Monitoring

Log Indicators:

Unexpected privilege changes in Lansweeper audit logs
Multiple failed login attempts followed by successful privilege modification

Network Indicators:

HTTP requests to Lansweeper admin endpoints without referrer headers or CSRF tokens
Unusual outbound connections from Lansweeper server

SIEM Query:

source="lansweeper" AND (event_type="privilege_change" OR event_type="user_modification") AND user_role="low_level"

📊 Metadata

CVE ID: CVE-2020-13658

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: September 30, 2020

Last Updated: November 21, 2024

🔗 References

https://research.nccgroup.com/2020/09/25/technical-advisory-lansweeper-privilege-escalation-via-csrf-using-http-method-interchange/ Exploit,Third Party Advisory
https://www.nccgroup.com/us/our-research/?research=Technical+advisories Third Party Advisory
https://research.nccgroup.com/2020/09/25/technical-advisory-lansweeper-privilege-escalation-via-csrf-using-http-method-interchange/ Exploit,Third Party Advisory
https://www.nccgroup.com/us/our-research/?research=Technical+advisories Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-13658, you might also want to check these: