CVE-2020-17456
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to execute arbitrary commands on affected SEOWON INTECH routers via the ipAddr parameter in the system_log.cgi page. It affects SEOWON INTECH SLC-130 and SLR-120S devices. Attackers can gain full control of vulnerable devices exposed to the internet.
💻 Affected Systems
- SEOWON INTECH SLC-130
- SEOWON INTECH SLR-120S
📦 What is this software?
Slc 130 Firmware by Seowonintech
Slr 120d42g Firmware by Seowonintech
Slr 120s Firmware by Seowonintech
Slr 120s42g Firmware by Seowonintech
Slr 120t42g Firmware by Seowonintech
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover, lateral movement into internal networks, data exfiltration, and persistent backdoor installation.
Likely Case
Router compromise leading to network traffic interception, credential theft, and use as attack platform.
If Mitigated
Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.
🎯 Exploit Status
Multiple public exploits available, trivial to execute with basic scripting knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest firmware from vendor (specific version not publicly documented)
Vendor Advisory: Not publicly available
Restart Required: Yes
Instructions:
1. Check vendor website for latest firmware. 2. Download appropriate firmware for your model. 3. Backup current configuration. 4. Upload firmware via admin interface. 5. Reboot device.
🔧 Temporary Workarounds
Block system_log.cgi access
linuxUse firewall rules to block access to the vulnerable endpoint
iptables -A INPUT -p tcp --dport 80 -m string --string "system_log.cgi" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "system_log.cgi" --algo bm -j DROP
Network segmentation
allIsolate routers in separate VLAN with strict access controls
🧯 If You Can't Patch
- Immediately remove affected devices from internet-facing positions
- Implement strict network segmentation and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Test if system_log.cgi endpoint accepts ipAddr parameter with command injection payloads (use caution in production)Check Version:
Check firmware version in router admin interface or via curl -k https://router-ip/status.cgiVerify Fix Applied:
Attempt exploitation after patch - should no longer execute commands📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to system_log.cgi
- ipAddr parameter containing shell metacharacters
- Unexpected command execution in system logs
Network Indicators:
- HTTP requests to system_log.cgi with suspicious ipAddr values
- Outbound connections from router to unexpected destinations
SIEM Query:
source="router_logs" AND uri="*system_log.cgi*" AND (param="*ipAddr=*|*" OR param="*ipAddr=*;*" OR param="*ipAddr=*`*")🔗 References
- http://packetstormsecurity.com/files/158933/Seowon-SlC-130-Router-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/166273/Seowon-SLR-120-Router-Remote-Code-Execution.html
- https://github.com/TAPESH-TEAM/CVE-2020-17456-Seowon-SLR-120S42G-RCE-Exploit-Unauthenticated
- https://maj0rmil4d.github.io/Seowon-SlC-130-And-SLR-120S-Exploit/
- https://www.exploit-db.com/exploits/50821
- http://packetstormsecurity.com/files/158933/Seowon-SlC-130-Router-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/166273/Seowon-SLR-120-Router-Remote-Code-Execution.html
- https://github.com/TAPESH-TEAM/CVE-2020-17456-Seowon-SLR-120S42G-RCE-Exploit-Unauthenticated
- https://maj0rmil4d.github.io/Seowon-SlC-130-And-SLR-120S-Exploit/
- https://www.exploit-db.com/exploits/50821
