Login Sign Up

CVE-2020-26041

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2020-26041 is a remote code execution vulnerability in Hoosk CMS v1.8.0's install/index.php file that allows attackers to execute arbitrary code on affected systems. This affects all Hoosk CMS v1.8.0 installations with the vulnerable install script accessible. Attackers can gain complete control over the web server.

💻 Affected Systems

Products:
  • Hoosk CMS
Versions: v1.8.0
Operating Systems: All operating systems running Hoosk CMS
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the installation script which should be removed after installation but is often left accessible.

📦 What is this software?

Hoosk by Hoosk

View all CVEs affecting Hoosk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, pivot to internal networks, and maintain persistent access.

🟠

Likely Case

Web server compromise leading to website defacement, data theft, cryptocurrency mining, or use as part of a botnet.

🟢

If Mitigated

No impact if install directory is properly removed or access is blocked before production deployment.

🌐 Internet-Facing: HIGH - The vulnerability is in a web-accessible file that can be exploited remotely without authentication.
🏢 Internal Only: MEDIUM - Internal systems could still be vulnerable if attackers gain initial access through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept exists on GitHub showing how to exploit the vulnerability. The exploit requires no authentication and is straightforward to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Remove the vulnerable install directory or upgrade to a newer version if available.

🔧 Temporary Workarounds

Remove install directory

all

Delete or rename the install directory to prevent access to the vulnerable script

rm -rf /path/to/hoosk/install/
mv /path/to/hoosk/install/ /path/to/hoosk/install_backup/

Block access via web server configuration

all

Configure web server to deny access to the install directory

# Apache: Add to .htaccess
<Directory "/path/to/hoosk/install">
    Order deny,allow
    Deny from all
</Directory>
# Nginx: Add to server block
location /install/ {
    deny all;
    return 403;
}

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate the vulnerable system
  • Deploy a web application firewall (WAF) with rules to block access to install scripts

🔍 How to Verify

Check if Vulnerable:

Check if /install/index.php exists and is accessible via web browser or curl: curl -I http://target/install/index.php

Check Version:

Check Hoosk CMS version in configuration files or admin panel

Verify Fix Applied:

Verify install directory is removed or returns 403/404: curl -I http://target/install/index.php

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /install/index.php with suspicious parameters
  • Unusual POST requests to install directory
  • System commands being executed from web process

Network Indicators:

  • Outbound connections from web server to suspicious IPs
  • Unusual traffic patterns from web server

SIEM Query:

source="web_server" AND (uri="/install/index.php" OR uri CONTAINS "/install/")

📊 Metadata

CVE ID: CVE-2020-26041
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: September 30, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON