CVE-2020-22937 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2020-22937?

CVE-2020-22937 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary PHP code on EmpireCMS 7.5 installations by writing malicious code to the install.php file. Attackers can achieve complete system compromise without authentication. All EmpireCMS 7.5 installations with the default install script accessible are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary PHP code on EmpireCMS 7.5 installations by writing malicious code to the install.php file. Attackers can achieve complete system compromise without authentication. All EmpireCMS 7.5 installations with the default install script accessible are affected.

💻 Affected Systems

Products:

EmpireCMS

Versions: 7.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation script that should be removed after installation but often remains accessible.

📦 What is this software?

Empirecms by Phome

View all CVEs affecting Empirecms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover with attacker gaining full control over the web server, database, and underlying operating system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Webshell deployment allowing persistent access, data exfiltration, defacement, and use of the compromised server for further attacks.

🟢

If Mitigated

Limited impact if install script is properly removed after installation, with attackers unable to reach the vulnerable endpoint.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial and requires no authentication. Public proof-of-concept code is available in GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.5 with install script removal or later versions

Vendor Advisory: https://github.com/leadscloud/EmpireCMS/issues/4

Restart Required: No

Instructions:

1. Immediately delete the /e/install/ directory and all its contents. 2. Verify the directory is completely removed from the web root. 3. Consider upgrading to the latest EmpireCMS version if available.

🔧 Temporary Workarounds

Remove Install Directory

linux

Delete the vulnerable install directory to prevent exploitation

rm -rf /path/to/empirecms/e/install/

Block Access via Web Server

all

Configure web server to deny all access to the install directory

# Apache: Add 'Deny from all' to .htaccess in /e/install/
# Nginx: Add 'location /e/install/ { deny all; }' to server config

🧯 If You Can't Patch

Implement strict network segmentation to isolate the EmpireCMS server
Deploy web application firewall (WAF) rules to block requests to /e/install/ paths

🔍 How to Verify

Check if Vulnerable:

Check if /e/install/index.php exists and is accessible via web browser or curl: curl -I http://yoursite.com/e/install/index.php

Check Version:

Check EmpireCMS version in admin panel or read version.txt in installation directory

Verify Fix Applied:

Confirm /e/install/ directory no longer exists and returns 404/403 when accessed

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /e/install/index.php with POST parameters containing PHP code
Unusual file creation in web root directory
Suspicious PHP process execution

Network Indicators:

Outbound connections from web server to unknown IPs shortly after access to install script
Large data exfiltration from database server

SIEM Query:

source="web_access.log" AND uri="/e/install/index.php" AND (method="POST" OR status=200)

📊 Metadata

CVE ID: CVE-2020-22937

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: August 17, 2021

Last Updated: November 21, 2024

🔗 References

https://cwe.mitre.org/data/definitions/96.html Third Party Advisory
https://github.com/leadscloud/EmpireCMS/issues/4 Exploit,Issue Tracking,Third Party Advisory
https://cwe.mitre.org/data/definitions/96.html Third Party Advisory
https://github.com/leadscloud/EmpireCMS/issues/4 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-22937, you might also want to check these: