Login Sign Up

CVE-2020-9026

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary operating system commands on affected ELTEX networking devices via command injection in the PING field. Attackers can gain full control of the device, potentially compromising the entire network. Affected devices include ELTEX NTP-RG-1402G and NTP-2 models.

💻 Affected Systems

Products:
  • ELTEX NTP-RG-1402G
  • ELTEX NTP-2
Versions: NTP-RG-1402G firmware 1v10 3.25.3.32 and earlier; NTP-2 firmware versions unspecified but confirmed affected
Operating Systems: Embedded Linux-based firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Devices with web management interface accessible are vulnerable. The vulnerability exists in the ping.cmd resource.

📦 What is this software?

Ntp 2 Firmware by Eltex Co

View all CVEs affecting Ntp 2 Firmware →

Ntp Rg 1402g Firmware by Eltex Co

View all CVEs affecting Ntp Rg 1402g Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network compromise, data exfiltration, lateral movement to other systems, and persistent backdoor installation.

🟠

Likely Case

Unauthorized access to device configuration, network traffic interception, denial of service, and credential harvesting.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict ingress filtering and network segmentation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to the device's web interface. The vulnerability is in a publicly accessible resource without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not publicly available

Restart Required: No

Instructions:

Check with ELTEX vendor for firmware updates. No official patch information is publicly documented.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to device management interfaces using firewall rules

Disable Web Interface

all

Disable the web management interface if not required for operation

🧯 If You Can't Patch

  • Segment affected devices into isolated network zones with strict firewall rules
  • Implement network monitoring and intrusion detection for suspicious ping.cmd requests

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or CLI. If running NTP-RG-1402G firmware 1v10 3.25.3.32 or earlier, assume vulnerable.

Check Version:

Check via web interface or device CLI (vendor-specific commands)

Verify Fix Applied:

Verify firmware has been updated to a version not listed as affected. Test with controlled command injection attempts.

📡 Detection & Monitoring

Log Indicators:

  • Unusual ping.cmd requests with shell metacharacters
  • Unexpected command execution in system logs

Network Indicators:

  • HTTP requests to ping.cmd with suspicious parameters
  • Outbound connections from device to unexpected destinations

SIEM Query:

http.url:*ping.cmd* AND (http.param:*;* OR http.param:*|* OR http.param:*`*)

📊 Metadata

CVE ID: CVE-2020-9026
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: February 17, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9026, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)