CVE-2020-7388 – CVE-2020-7388 is an unauthenticated remote comm... (How to Fix)

Q: How do I fix CVE-2020-7388?

1. Download latest patches from Sage support portal. 2. Apply AdxAdmin 93.2.53 update. 3. Apply relevant Syracuse component updates based on your version. 4. Restart Sage X3 services and verify functionality.

Q: What is the severity of CVE-2020-7388?

CVE-2020-7388 has a CVSS score of 10.0 (CRITICAL). CVE-2020-7388 is an unauthenticated remote command execution vulnerability in Sage X3's AdxDSrv.exe component that allows attackers to bypass authentication and execute arbitrary commands with SYSTEM privileges. This affects on-premises versions of Sage X3 before specific Syracuse component updates. Attackers can chain this with CVE-2020-7387 to discover installation paths needed for exploitation.

📋 TL;DR

CVE-2020-7388 is an unauthenticated remote command execution vulnerability in Sage X3's AdxDSrv.exe component that allows attackers to bypass authentication and execute arbitrary commands with SYSTEM privileges. This affects on-premises versions of Sage X3 before specific Syracuse component updates. Attackers can chain this with CVE-2020-7387 to discover installation paths needed for exploitation.

💻 Affected Systems

Products:

Sage X3
Sage X3 HR & Payroll

Versions: On-premises versions before: Version 9 (Syracuse < 9.22.7.2), Version 11 (Syracuse < 11.25.2.6), Version 12 (Syracuse < 12.10.2.8), and Sage X3 HR & Payroll Version 9 (Syracuse < 9.24.1.3)

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Cloud/SaaS versions are not affected. Only on-premises deployments are vulnerable. Other on-premises versions are unsupported by vendor.

📦 What is this software?

Adxadmin by Sage

View all CVEs affecting Adxadmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing installation of persistent malware, data exfiltration, and lateral movement across the network.

🟠

Likely Case

Unauthenticated attackers gaining full control of the Sage X3 server, potentially accessing sensitive business data and using the system as a foothold for further attacks.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to vulnerable components.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of installation path, which can be obtained via CVE-2020-7387. Public exploit code and technical details are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: AdxAdmin 93.2.53 with Syracuse updates: Version 9 (9.22.7.2+), Version 11 (11.25.2.6+), Version 12 (12.10.2.8+), Sage X3 HR & Payroll Version 9 (9.24.1.3+)

Vendor Advisory: https://www.sagecity.com/gb/sage-x3-uk/f/sage-x3-uk-announcements-news-and-alerts/147993/sage-x3-latest-patches

Restart Required: Yes

Instructions:

1. Download latest patches from Sage support portal. 2. Apply AdxAdmin 93.2.53 update. 3. Apply relevant Syracuse component updates based on your version. 4. Restart Sage X3 services and verify functionality.

🔧 Temporary Workarounds

Network Access Restriction

windows

Block external access to Sage X3 AdxDSrv.exe component (typically port 1818/TCP) using firewall rules.

netsh advfirewall firewall add rule name="Block Sage X3 AdxDSrv" dir=in action=block protocol=TCP localport=1818

🧯 If You Can't Patch

Implement strict network segmentation to isolate Sage X3 servers from untrusted networks and internet access.
Deploy application control/whitelisting to prevent execution of unauthorized binaries on Sage X3 servers.

🔍 How to Verify

Check if Vulnerable:

Check AdxAdmin version (should be < 93.2.53) and Syracuse component versions against affected ranges. Review system logs for unauthorized authentication attempts.

Check Version:

Check Sage X3 administration console or installation directory for version information. For Windows: Review installed programs in Control Panel or check file properties of AdxDSrv.exe.

Verify Fix Applied:

Verify AdxAdmin version is 93.2.53 or higher and Syracuse components meet minimum patched versions. Test authentication functionality remains intact.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful SYSTEM-level command execution
Unusual process creation from AdxDSrv.exe
Authentication bypass events in Sage X3 logs

Network Indicators:

Unusual traffic to port 1818/TCP from untrusted sources
Authentication requests with manipulated parameters

SIEM Query:

source="sage_x3_logs" AND (event_type="auth_bypass" OR process_name="AdxDSrv.exe" AND parent_process="SYSTEM")

📊 Metadata

CVE ID: CVE-2020-7388

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE: CWE-290

Published: July 22, 2021

Last Updated: November 21, 2024

🔗 References

https://rapid7.com/blog/post/2021/07/07/sage-x3-multiple-vulnerabilities-fixed Broken Link
https://www.sagecity.com/gb/sage-x3-uk/f/sage-x3-uk-announcements-news-and-alerts/147993/sage-x3-latest-patches Patch,Vendor Advisory
https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/ Exploit,Third Party Advisory
https://rapid7.com/blog/post/2021/07/07/sage-x3-multiple-vulnerabilities-fixed Broken Link
https://www.sagecity.com/gb/sage-x3-uk/f/sage-x3-uk-announcements-news-and-alerts/147993/sage-x3-latest-patches Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-7388, you might also want to check these: