Cyber Posture

CVE-2020-36909

MediumPublic PoC

Published: 06 January 2026

Published
06 January 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0022 43.8th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

SnapGear Management Console SG560 3.1.5 contains a file manipulation vulnerability that allows authenticated users to read, write, and delete files using the edit_config_files CGI script. Attackers can manipulate POST request parameters in /cgi-bin/cgix/edit_config_files to access and modify files outside the…

more

intended /etc/config/ directory.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates path traversal in POST parameters by validating and sanitizing file path inputs to the edit_config_files CGI script.

AC-6 Least Privilege good match
prevent

Enforces least privilege for authenticated users and the CGI process, limiting the scope of arbitrary file read, write, and delete operations.

AC-3 Access Enforcement partial match
prevent

Enforces approved access authorizations to restrict file manipulations to the intended /etc/config/ directory despite path traversal attempts.

Security SummaryAI

CVE-2020-36909 is a file manipulation vulnerability (CWE-22) in the SnapGear Management Console SG560 version 3.1.5. The issue affects the edit_config_files CGI script at /cgi-bin/cgix/edit_config_files, which permits authenticated users to read, write, and delete files outside the intended /etc/config/ directory through manipulation of POST request parameters.

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), no user interaction (UI:N), and unchanged scope (S:U). Exploitation grants access to arbitrary file read, write, and delete operations, resulting in high confidentiality impact and a CVSS v3.1 base score of 6.5 (C:H/I:N/A:N).

Advisories and proof-of-concept exploits are documented in references including VulnCheck (https://www.vulncheck.com/advisories/secure-computing-snapgear-management-console-sg-arbitrary-file-readwrite), Zero Science Labs (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5568.php), Exploit-DB (https://www.exploit-db.com/exploits/48556), and PacketStorm (https://packetstorm.news/files/id/157939). No specific patches or mitigation steps are detailed in the provided information.

Publicly available proof-of-concept exploits highlight the vulnerability's exploitability in affected SnapGear deployments.

Details

CWE(s)
CWE-22

Affected Products

securecomputing
snapgear sg560 firmware
3.1.5

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1003.008 /etc/passwd and /etc/shadow Credential Access
Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking.
attack.mitre.org →
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
attack.mitre.org →
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Path traversal in CGI script enables authenticated low-priv users to perform arbitrary file read/write/delete, facilitating privilege escalation via exploitation (T1068), credential dumping from Linux credential stores (T1003.008), file discovery (T1083), evasion via deletion (T1070.004), and unsecured credential collection (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References