CVE-2020-8868 – CVE-2020-8868 is a critical vulnerability in Qu... (How to Fix)

Q: What is the severity of CVE-2020-8868?

CVE-2020-8868 has a CVSS score of 9.8 (CRITICAL). CVE-2020-8868 is a critical vulnerability in Quest Foglight Evolve that allows remote attackers to execute arbitrary code without authentication. The vulnerability exists due to a hard-coded password for the '__service__' user account, enabling attackers to gain SYSTEM-level privileges. All installations of Quest Foglight Evolve 9.0.0 are affected.

📋 TL;DR

CVE-2020-8868 is a critical vulnerability in Quest Foglight Evolve that allows remote attackers to execute arbitrary code without authentication. The vulnerability exists due to a hard-coded password for the '__service__' user account, enabling attackers to gain SYSTEM-level privileges. All installations of Quest Foglight Evolve 9.0.0 are affected.

💻 Affected Systems

Products:

Quest Foglight Evolve

Versions: 9.0.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is present in default installations and requires no special configuration to be exploitable.

📦 What is this software?

Foglight Evolve by Quest

View all CVEs affecting Foglight Evolve →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing attackers to install malware, exfiltrate data, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Remote code execution leading to data theft, ransomware deployment, or creation of backdoors for future attacks.

🟢

If Mitigated

Limited impact if network segmentation prevents external access and proper monitoring detects exploitation attempts.

🌐 Internet-Facing: HIGH - No authentication required and remote exploitation makes internet-facing systems extremely vulnerable.

🏢 Internal Only: HIGH - Even internally, the lack of authentication requirement makes this easily exploitable by any internal threat actor.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The hard-coded password makes exploitation trivial once discovered. ZDI-CAN-9553 indicates active research and likely weaponization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply hotfix from Quest support article 315091

Vendor Advisory: https://support.quest.com/foglight/kb/315091/fms-5-9-5-hotfix-hfix-314

Restart Required: Yes

Instructions:

1. Download the hotfix from Quest support article 315091. 2. Stop Foglight Evolve services. 3. Apply the hotfix according to vendor instructions. 4. Restart services. 5. Verify the fix by checking that the hard-coded password is no longer present.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Foglight Evolve systems to only trusted administrative networks

Firewall Rules

all

Block external access to Foglight Evolve ports (typically 8080, 8443, and other configured ports)

🧯 If You Can't Patch

Immediately isolate affected systems from internet and untrusted networks
Implement strict network monitoring and alerting for any access attempts to Foglight Evolve services

🔍 How to Verify

Check if Vulnerable:

Check if Foglight Evolve version is 9.0.0 and review configuration for presence of hard-coded '__service__' account credentials

Check Version:

Check Foglight Evolve administration console or configuration files for version information

Verify Fix Applied:

Verify hotfix installation and confirm that the hard-coded password has been removed/changed

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts for '__service__' account
Unusual process execution from Foglight Evolve service context
Network connections from Foglight Evolve to unexpected destinations

Network Indicators:

Unexpected traffic from Foglight Evolve ports to external IPs
Exploitation attempts targeting Foglight Evolve services

SIEM Query:

source="foglight.log" AND ("__service__" OR "authentication failure" OR "unauthorized access")

📊 Metadata

CVE ID: CVE-2020-8868

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: March 23, 2020

Last Updated: November 21, 2024

🔗 References

https://support.quest.com/foglight/kb/315091/fms-5-9-5-hotfix-hfix-314 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-20-290/ Third Party Advisory,VDB Entry
https://support.quest.com/foglight/kb/315091/fms-5-9-5-hotfix-hfix-314 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-20-290/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-8868, you might also want to check these: