CVE-2020-5635 – CVE-2020-5635 is an OS command injection vulner... (How to Fix)

Q: What is the severity of CVE-2020-5635?

CVE-2020-5635 has a CVSS score of 8.8 (HIGH). CVE-2020-5635 is an OS command injection vulnerability in Aterm SA3500G routers that allows attackers on the same network to execute arbitrary commands by sending specially crafted requests to a specific URL. This affects organizations using Aterm SA3500G routers with firmware versions before 3.5.9.

📋 TL;DR

CVE-2020-5635 is an OS command injection vulnerability in Aterm SA3500G routers that allows attackers on the same network to execute arbitrary commands by sending specially crafted requests to a specific URL. This affects organizations using Aterm SA3500G routers with firmware versions before 3.5.9.

💻 Affected Systems

Products:

NEC Platforms Aterm SA3500G router

Versions: All firmware versions prior to Ver. 3.5.9

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is in the web management interface and requires the attacker to be on the same network segment as the router.

📦 What is this software?

Aterm Sa3500g Firmware by Necplatforms

View all CVEs affecting Aterm Sa3500g Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept all network traffic, modify router configuration, pivot to internal networks, or install persistent backdoors.

🟠

Likely Case

Router takeover leading to network disruption, credential theft, or deployment of malware to connected devices.

🟢

If Mitigated

Limited impact if network segmentation prevents adjacent network access or if the router is not internet-facing.

🌐 Internet-Facing: HIGH if the router's web interface is exposed to the internet, as attackers could exploit remotely.

🏢 Internal Only: HIGH as the vulnerability requires only adjacent network access, making internal attackers or compromised devices a significant threat.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and has publicly available proof-of-concept code, making exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Ver. 3.5.9

Vendor Advisory: https://www.necplatforms.co.jp/product/security_ap/info_20201211.html

Restart Required: Yes

Instructions:

1. Download firmware version 3.5.9 from NEC Platforms website. 2. Log into router web interface. 3. Navigate to firmware update section. 4. Upload and apply the new firmware. 5. Reboot the router after update completes.

🔧 Temporary Workarounds

Disable web management interface

all

Temporarily disable the router's web management interface to prevent exploitation while planning patching.

Login via SSH/Telnet and disable web interface using vendor-specific commands

Network segmentation

all

Isolate the router management interface to a dedicated VLAN with strict access controls.

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the router's management interface
Monitor network traffic for suspicious requests to the vulnerable URL endpoint

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System Information or via SSH/Telnet using vendor-specific version commands.

Check Version:

Login to router and check version via web interface or use vendor CLI commands

Verify Fix Applied:

Confirm firmware version shows 3.5.9 or higher in the router management interface.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to router management URLs
Multiple failed login attempts followed by command execution patterns

Network Indicators:

Suspicious HTTP POST requests containing shell metacharacters to router IP
Unexpected outbound connections from router

SIEM Query:

source_ip=router_ip AND (http_uri CONTAINS "/cgi-bin/" AND http_method="POST" AND http_user_agent UNUSUAL)

📊 Metadata

CVE ID: CVE-2020-5635

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: December 14, 2020

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/en/jp/JVN55917325/index.html Third Party Advisory
https://jvn.jp/jp/JVN55917325/index.html Third Party Advisory
https://www.necplatforms.co.jp/product/security_ap/info_20201211.html Vendor Advisory
https://jvn.jp/en/jp/JVN55917325/index.html Third Party Advisory
https://jvn.jp/jp/JVN55917325/index.html Third Party Advisory
https://www.necplatforms.co.jp/product/security_ap/info_20201211.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-5635, you might also want to check these: