CVE-2020-37186
📋 TL;DR
CVE-2020-37186 is a critical remote code execution vulnerability in Chevereto image hosting software. Attackers can inject malicious PHP code during database configuration by manipulating the table prefix parameter, allowing them to execute arbitrary system commands. This affects all Chevereto Free 3.13.4 installations during initial setup or reconfiguration.
💻 Affected Systems
- Chevereto Free
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the web server, allowing data theft, malware deployment, and lateral movement to other systems.
Likely Case
Webshell installation leading to data exfiltration, defacement, cryptocurrency mining, or use as part of a botnet.
If Mitigated
Attack prevented through proper network segmentation, web application firewalls, and timely patching.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB and other sources. Attack requires access to the installation/reconfiguration interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.13.5 and later
Vendor Advisory: https://chevereto.com/
Restart Required: No
Instructions:
1. Download latest version from Chevereto website or GitHub. 2. Backup current installation. 3. Replace vulnerable files with patched version. 4. Verify installation works correctly.
🔧 Temporary Workarounds
Remove installation directory
linuxDelete or restrict access to the installation directory after initial setup
rm -rf /path/to/chevereto/install
chmod 000 /path/to/chevereto/install
Web Application Firewall rule
allBlock requests containing suspicious PHP code patterns in POST parameters
🧯 If You Can't Patch
- Isolate the Chevereto instance behind a reverse proxy with strict input validation
- Implement network segmentation to limit potential lateral movement if compromised
🔍 How to Verify
Check if Vulnerable:
Check if Chevereto version is 3.13.4 and installation directory is accessibleCheck Version:
grep -r "VERSION" /path/to/chevereto/includes/constants.php | grep -o "[0-9]\.[0-9]\.[0-9]"Verify Fix Applied:
Verify version is 3.13.5 or later and test that installation directory is not accessible📡 Detection & Monitoring
Log Indicators:
- POST requests to installation scripts with unusual table prefix parameters
- File creation in web root with .php extension during installation
Network Indicators:
- HTTP POST to /install with suspicious payloads
- Unexpected outbound connections from web server
SIEM Query:
source="web_logs" AND (uri_path="/install" OR uri_path="/install/index.php") AND http_method="POST" AND (param_name="table_prefix" AND param_value CONTAINS "<?php")