Cyber Posture

CVE-2020-36883

HighPublic PoC

Published: 10 December 2025

Published
10 December 2025
Modified
21 January 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0051 66.5th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

SpinetiX Fusion Digital Signage 3.4.8 and lower contains an authenticated path traversal vulnerability that allows attackers to manipulate file backup and deletion operations through unverified input parameters. Attackers can exploit path traversal techniques in index.php to write backup files to…

more

arbitrary locations and delete files by manipulating backup and file delete requests.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of unverified input parameters in file backup and deletion operations, directly preventing path traversal exploits.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and remediation of flaws like this authenticated path traversal vulnerability through patching.

SI-9 Information Input Restrictions partial match
prevent

Restricts malicious information inputs such as traversal sequences in file operation parameters, mitigating exploitation attempts.

Security SummaryAI

CVE-2020-36883 is an authenticated path traversal vulnerability affecting SpinetiX Fusion Digital Signage versions 3.4.8 and lower. The flaw resides in the index.php component, where unverified input parameters in file backup and deletion operations enable attackers to employ path traversal techniques. This allows manipulation of backup files to be written to arbitrary locations on the filesystem and arbitrary file deletion.

The vulnerability requires low privileges (PR:L), meaning an authenticated user with basic access can exploit it over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation results in high integrity (I:H) and availability (A:H) impacts, with no confidentiality impact (C:N), as rated by its CVSS v3.1 score of 8.1. Attackers can overwrite critical files via malicious backups or delete essential system files, potentially leading to denial of service or full system compromise.

Advisories from VulnCheck (vulncheck.com) and Zero Science (zeroscience.mk) document the issue, including exploit details available on Exploit-DB (exploit-db.com/exploits/48844). Mitigation recommendations, detailed in these sources and on the vendor site (spinetix.com), emphasize updating to patched versions where available and validating input parameters to prevent path traversal in file operations. A public proof-of-concept exploit exists, indicating potential for real-world abuse.

Details

CWE(s)
CWE-22

Affected Products

spinetix
fusion digital signage
≤ 3.4.8

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

The vulnerability is a path traversal in a web application (index.php) enabling arbitrary file overwrite via backups (T1565.001 Stored Data Manipulation) and deletion (T1070.004 File Deletion), exploited as a public-facing or remote web app flaw (T1190 Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References