CVE-2020-16210 – CVE-2020-16210 is a reflected cross-site script... (How to Fix)

Q: What is the severity of CVE-2020-16210?

CVE-2020-16210 has a CVSS score of 9.0 (CRITICAL). CVE-2020-16210 is a reflected cross-site scripting (XSS) vulnerability in Red Lion's N-Tron 702-W and 702M12-W industrial switches, allowing attackers to inject malicious scripts via web interface inputs. If exploited, it can enable remote code execution and perform actions as the attacked user, affecting all versions of these devices.

📋 TL;DR

CVE-2020-16210 is a reflected cross-site scripting (XSS) vulnerability in Red Lion's N-Tron 702-W and 702M12-W industrial switches, allowing attackers to inject malicious scripts via web interface inputs. If exploited, it can enable remote code execution and perform actions as the attacked user, affecting all versions of these devices.

💻 Affected Systems

Products:

Red Lion N-Tron 702-W
Red Lion N-Tron 702M12-W

Versions: All versions

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: These are industrial Ethernet switches; the vulnerability is in the web management interface.

📦 What is this software?

N Tron 702 W Firmware by Redlion

View all CVEs affecting N Tron 702 W Firmware →

N Tron 702m12 W Firmware by Redlion

View all CVEs affecting N Tron 702m12 W Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could remotely execute arbitrary code, compromise the device, and pivot to other systems on the network, leading to full network control or data theft.

🟠

Likely Case

Attackers may steal user sessions, perform unauthorized actions, or deploy malware via the web interface, disrupting industrial operations.

🟢

If Mitigated

With proper input validation and output encoding, the risk is reduced to minimal, preventing script injection and limiting impact to isolated incidents.

🌐 Internet-Facing: HIGH, as these devices are often exposed to the internet in industrial settings, making them easy targets for remote exploitation.

🏢 Internal Only: MEDIUM, as internal attackers could still exploit it if network access is gained, but requires some level of access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploits are publicly available, making it easy for attackers to leverage; no authentication is required to trigger the XSS.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-240-01

Restart Required: No

Instructions:

No official patch exists; refer to vendor advisory for updates and rely on workarounds or replacement.

🔧 Temporary Workarounds

Disable Web Interface

all

Turn off the web management interface to prevent XSS attacks via network access.

Access device CLI and use command to disable web server (specific command varies by device).

Network Segmentation

all

Isolate affected devices in a separate VLAN to limit exposure and access.

Configure network switches to restrict traffic to/from vulnerable devices.

🧯 If You Can't Patch

Implement strict input validation and output encoding on any custom applications interacting with the device.
Monitor network traffic for unusual patterns and restrict access to the device's web interface using firewalls.

🔍 How to Verify

Check if Vulnerable:

Test the web interface by injecting a simple script (e.g., <script>alert('test')</script>) into input fields and check if it executes.

Check Version:

Log into the device web interface or CLI and check firmware version in settings (specific command varies).

Verify Fix Applied:

Verify that script injections no longer execute and that web interface is disabled or segmented.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests with script tags or encoded payloads in web server logs.

Network Indicators:

Suspicious traffic to device web ports (e.g., 80, 443) with XSS patterns.

SIEM Query:

source="device_logs" AND (http_request CONTAINS "<script>" OR http_request CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2020-16210

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: September 1, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/159064/Red-Lion-N-Tron-702-W-702M12-W-2.0.26-XSS-CSRF-Shell.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2020/Sep/6 Mailing List,Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-240-01 Third Party Advisory,US Government Resource
http://packetstormsecurity.com/files/159064/Red-Lion-N-Tron-702-W-702M12-W-2.0.26-XSS-CSRF-Shell.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2020/Sep/6 Mailing List,Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-240-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-16210, you might also want to check these: