CVE-2020-35339 – CVE-2020-35339 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2020-35339?

CVE-2020-35339 has a CVSS score of 9.8 (CRITICAL). CVE-2020-35339 is a critical remote code execution vulnerability in 74cms version 5.0.1 that allows attackers to execute arbitrary code on affected servers. Attackers can gain full server control by exploiting insecure functions in the configuration controller and ThinkPHP framework. This affects all organizations running vulnerable 74cms installations.

📋 TL;DR

CVE-2020-35339 is a critical remote code execution vulnerability in 74cms version 5.0.1 that allows attackers to execute arbitrary code on affected servers. Attackers can gain full server control by exploiting insecure functions in the configuration controller and ThinkPHP framework. This affects all organizations running vulnerable 74cms installations.

💻 Affected Systems

Products:

74cms (Qiye Recruitment System)

Versions: Version 5.0.1 specifically

Operating Systems: Any OS running PHP (Linux, Windows, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both Windows and Linux deployments. Requires PHP environment with vulnerable ThinkPHP framework functions.

📦 What is this software?

74cms by 74cms

View all CVEs affecting 74cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, ransomware deployment, lateral movement within network, and persistent backdoor installation.

🟠

Likely Case

Attackers gain shell access to web server, deploy web shells, steal sensitive data, and potentially pivot to other systems.

🟢

If Mitigated

Limited impact with proper network segmentation, web application firewalls, and minimal privileges, but still significant risk.

🌐 Internet-Facing: HIGH - Directly exploitable from internet without authentication, affecting publicly accessible websites.

🏢 Internal Only: MEDIUM - Still exploitable internally but requires network access; could be used for lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on GitHub. Attack requires no authentication and is trivial to execute with basic web request.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 5.0.2 or later

Vendor Advisory: http://www.74cms.com/download/index.html

Restart Required: No

Instructions:

1. Download latest version from 74cms website. 2. Backup current installation. 3. Replace vulnerable files with patched versions. 4. Verify no custom modifications are overwritten. 5. Test functionality.

🔧 Temporary Workarounds

File Access Restriction

all

Restrict access to vulnerable controller files via web server configuration

# For Apache: add to .htaccess
<Files "ConfigController.class.php">
    Order allow,deny
    Deny from all
</Files>
# For Nginx: add to server block
location ~* /Application/Admin/Controller/ConfigController\.class\.php {
    deny all;
}

WAF Rule Implementation

all

Deploy web application firewall rules to block exploitation attempts

# ModSecurity rule example
SecRule ARGS "@rx eval\s*\(|system\s*\(|exec\s*\(" \
    "id:1001,phase:2,deny,msg:'RCE attempt detected'"

🧯 If You Can't Patch

Isolate affected system in separate network segment with strict firewall rules
Implement application-level input validation and sanitization for all user inputs

🔍 How to Verify

Check if Vulnerable:

Check if /Application/Admin/Controller/ConfigController.class.php exists and contains vulnerable eval() or system() calls. Also check ThinkPHP/Common/functions.php for insecure functions.

Check Version:

Check version in /Application/Common/Conf/config.php or look for version file in installation directory

Verify Fix Applied:

Verify ConfigController.class.php no longer contains dangerous eval() calls and functions.php has proper input validation. Test with known exploit payloads.

📡 Detection & Monitoring

Log Indicators:

POST requests to /Application/Admin/Controller/ConfigController.class.php with eval/system parameters
Unusual PHP process execution from web user
Web shell file creation in upload directories

Network Indicators:

HTTP requests containing base64 encoded PHP code
Rapid succession of exploit attempts to vulnerable endpoints
Outbound connections from web server to suspicious IPs

SIEM Query:

source="web_logs" AND (uri="*ConfigController*" AND (method="POST" OR params="*eval*" OR params="*system*"))

📊 Metadata

CVE ID: CVE-2020-35339

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: February 17, 2021

Last Updated: November 21, 2024

🔗 References

http://www.74cms.com/download/index.html Product,Vendor Advisory
https://github.com/BigTiger2020/74cms-rce/blob/main/README.md Exploit,Third Party Advisory
http://www.74cms.com/download/index.html Product,Vendor Advisory
https://github.com/BigTiger2020/74cms-rce/blob/main/README.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35339, you might also want to check these: