CVE-2020-7875
📋 TL;DR
CVE-2020-7875 is a remote code execution vulnerability in DEXT5 Upload's ActiveX module that allows attackers to download and execute arbitrary files by manipulating module arguments. This affects users of DEXT5 Upload version 5.0.0.117 and earlier. The vulnerability can be exploited through web applications that use the vulnerable ActiveX control.
💻 Affected Systems
- DEXT5 Upload
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, installing malware, stealing data, and using the system as a pivot point for lateral movement.
Likely Case
Remote code execution leading to malware installation, data exfiltration, or ransomware deployment on vulnerable systems.
If Mitigated
Limited impact through network segmentation and application controls, potentially only affecting isolated systems.
🎯 Exploit Status
Exploitation requires tricking users into visiting malicious web pages or compromising web applications using the control.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.0.118 or later
Vendor Advisory: https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36312
Restart Required: No
Instructions:
1. Download latest version from DEXT5 vendor. 2. Uninstall vulnerable version. 3. Install patched version. 4. Test functionality.
🔧 Temporary Workarounds
Disable ActiveX in Internet Explorer
windowsPrevents exploitation through web browsers by disabling ActiveX controls
Set Internet Explorer security settings to disable ActiveX controls
Block DEXT5 Upload ActiveX CLSID
windowsPrevents loading of vulnerable ActiveX control
Use Group Policy to block CLSID: {CLSID of DEXT5 Upload}
🧯 If You Can't Patch
- Network segmentation to isolate systems using DEXT5 Upload
- Implement web application firewall rules to block malicious requests targeting the vulnerability
🔍 How to Verify
Check if Vulnerable:
Check DEXT5 Upload version in installed programs or registry: HKEY_LOCAL_MACHINE\SOFTWARE\DEXT5\UploadCheck Version:
reg query "HKLM\SOFTWARE\DEXT5\Upload" /v VersionVerify Fix Applied:
Verify version is 5.0.0.118 or later and test upload functionality📡 Detection & Monitoring
Log Indicators:
- Unusual file downloads via DEXT5 Upload
- Suspicious process execution from temporary directories
- ActiveX loading errors in application logs
Network Indicators:
- HTTP requests to DEXT5 Upload endpoints with suspicious parameters
- Outbound connections from systems after DEXT5 Upload usage
SIEM Query:
source="*DEXT5*" AND (event="download" OR event="execute") AND (url="*remote*" OR param="*variable*")