CVE-2020-21999
📋 TL;DR
This vulnerability allows authenticated attackers with default credentials to execute arbitrary operating system commands as root on iWT Ltd FaceSentry Access Control System. Attackers can inject malicious commands through the 'strInIP' parameter in the pingTest PHP script. Organizations using FaceSentry Access Control System version 6.4.8 with default credentials are affected.
💻 Affected Systems
- iWT Ltd FaceSentry Access Control System
📦 What is this software?
Facesentry Access Control System Firmware by Iwt
View all CVEs affecting Facesentry Access Control System Firmware →
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with root-level access, allowing installation of persistent backdoors, data exfiltration, lateral movement to other systems, and disruption of physical access control operations.
Likely Case
Attackers gain root shell access to the access control system, potentially disabling security controls, stealing credential data, and using the system as a pivot point to attack other network resources.
If Mitigated
Limited impact due to network segmentation, strong authentication controls, and monitoring that detects command injection attempts before successful exploitation.
🎯 Exploit Status
Exploit requires authentication with default credentials. Public exploit code is available on Exploit-DB and other sources.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not publicly available
Restart Required: No
Instructions:
1. Check vendor website for security updates. 2. If patch available, download and apply according to vendor instructions. 3. Verify the fix by testing the vulnerability.
🔧 Temporary Workarounds
Change Default Credentials
allImmediately change all default passwords and usernames to strong, unique credentials.
Use system administration interface to change credentials
Restrict Access to pingTest Script
linuxBlock or restrict access to the vulnerable pingTest.php script using web server configuration.
# Apache: Add to .htaccess or virtual host config
<Files "pingTest.php">
Order Deny,Allow
Deny from all
</Files>
# Nginx: Add to server block
location ~ /pingTest\.php$ {
deny all;
}
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the access control system from other critical networks
- Deploy web application firewall (WAF) rules to block command injection patterns targeting the strInIP parameter
🔍 How to Verify
Check if Vulnerable:
Attempt to authenticate with default credentials and test the pingTest.php endpoint with command injection payloads in the strInIP parameter.Check Version:
Check system administration interface or documentation for version informationVerify Fix Applied:
Test that command injection no longer works after implementing workarounds. Verify default credentials are changed and pingTest script is inaccessible.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to pingTest.php with shell metacharacters in parameters
- Multiple failed login attempts followed by successful login with default credentials
- Unexpected system processes spawned from web server user
Network Indicators:
- HTTP POST requests containing shell commands in strInIP parameter
- Outbound connections from access control system to unexpected destinations
SIEM Query:
source="web_server_logs" AND uri="/pingTest.php" AND (param="strInIP" AND value MATCHES "[;&|`$()]" OR value MATCHES "\\.\\./")