Cyber Posture

CVE-2020-36886

HighPublic PoC

Published: 10 December 2025

Published
10 December 2025
Modified
17 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

SpinetiX Fusion Digital Signage 3.4.8 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation. Attackers can craft a malicious web page that automatically submits a form to create a new admin…

more

user with full system privileges when a logged-in user visits the page.

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match
prevent

Directly mitigates CSRF by protecting the authenticity of communications sessions through mechanisms like anti-CSRF tokens, preventing forged requests for administrative actions.

SI-10 Information Input Validation good match
prevent

Addresses the core issue of lacking proper request validation by requiring validation of information inputs, including those in forms for creating admin accounts.

AC-2 Account Management partial match
prevent

Mitigates unauthorized admin account creation by enforcing managed processes for account provisioning and review to ensure only legitimate requests succeed.

Security SummaryAI

CVE-2020-36886 is a cross-site request forgery (CSRF) vulnerability, mapped to CWE-352, in SpinetiX Fusion Digital Signage version 3.4.8. The issue stems from a lack of proper request validation, allowing attackers to create new administrative user accounts with full system privileges. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), reflecting high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

An unauthenticated attacker (PR:N) can exploit this vulnerability by crafting a malicious webpage that automatically submits a form to the target system. When a logged-in user—typically an administrator—visits the page, the form submission creates a new admin account without the victim's knowledge or consent, granting the attacker full system access upon logging in with the new credentials. User interaction (UI:R) is required, but no special privileges are needed from the attacker.

Advisories and references detail the issue, including a proof-of-concept exploit at https://www.exploit-db.com/exploits/48846, vendor information at https://www.spinetix.com and https://www.spinetix.com/product/, a VulnCheck advisory at https://www.vulncheck.com/advisories/spinetix-fusion-digital-signage-cross-site-request-forgery-via-user-creation, and a Zero Science Labs report at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5592.php. These resources provide further guidance on the vulnerability, though specific patch or mitigation instructions are not detailed in the core description.

Details

CWE(s)
CWE-352

Affected Products

spinetix
fusion digital signage
≤ 3.4.8

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
attack.mitre.org →
Why these techniques?

CSRF vulnerability in public-facing web application (T1190) exploited by unauthenticated remote attacker to create new local admin accounts with full privileges (T1136.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References