Login Sign Up

CVE-2020-13661

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Telerik Fiddler allows attackers to execute arbitrary programs on a victim's system by tricking them into using the 'Open On Browser' option with a specially crafted hostname containing a trailing space and command injection arguments. Users of Fiddler versions through 5.0.20202.18177 are affected.

💻 Affected Systems

Products:
  • Telerik Fiddler
Versions: Through 5.0.20202.18177
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires user interaction - victim must choose 'Open On Browser' option. Fiddler is primarily a Windows application.

📦 What is this software?

Fiddler by Telerik

View all CVEs affecting Fiddler →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker executing arbitrary malicious programs with the victim's privileges, potentially leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Limited program execution based on what the attacker can trick the user into running, potentially leading to malware installation or credential harvesting.

🟢

If Mitigated

No impact if users avoid the 'Open On Browser' option with untrusted hostnames or if proper application allowlisting is enforced.

🌐 Internet-Facing: LOW - This requires user interaction with the 'Open On Browser' option, making it difficult to exploit remotely without social engineering.
🏢 Internal Only: MEDIUM - Internal users could be tricked via phishing or malicious internal sites, but still requires specific user action.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction but the technique is simple and publicly documented. The victim must click 'Open On Browser' on a malicious hostname.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.20204

Vendor Advisory: https://www.telerik.com/support/whats-new/fiddler/release-history/fiddler-v5.0.20204

Restart Required: Yes

Instructions:

1. Download Fiddler v5.0.20204 or later from Telerik website. 2. Run the installer. 3. Follow installation prompts. 4. Restart Fiddler after installation completes.

🔧 Temporary Workarounds

Disable 'Open On Browser' functionality

windows

Prevent users from using the vulnerable 'Open On Browser' option

User awareness training

all

Train users to avoid using 'Open On Browser' on untrusted or suspicious hostnames

🧯 If You Can't Patch

  • Implement application allowlisting to prevent execution of unauthorized programs
  • Restrict Fiddler usage to trusted networks and users only

🔍 How to Verify

Check if Vulnerable:

Check Fiddler version in Help > About. If version is 5.0.20202.18177 or earlier, you are vulnerable.

Check Version:

In Fiddler: Help > About

Verify Fix Applied:

Verify version is 5.0.20204 or later in Help > About. Test that 'Open On Browser' no longer executes arbitrary commands.

📡 Detection & Monitoring

Log Indicators:

  • Process execution events from Fiddler.exe with unusual command-line arguments containing '--utility-and-browser --utility-cmd-prefix='

Network Indicators:

  • HTTP requests to hostnames containing trailing spaces followed by command injection patterns

SIEM Query:

Process Creation where Image contains 'fiddler.exe' and CommandLine contains '--utility-and-browser --utility-cmd-prefix='

📊 Metadata

CVE ID: CVE-2020-13661
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: November 5, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON