CVE-2020-36948

CriticalPublic PoC

Published: 27 January 2026

Published

27 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0032 54.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper administrative permissions.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for access, directly preventing token manipulation exploits that bypass authentication checks in the LoginAs module.

IA-5 Authenticator Management good match

prevent

IA-5 ensures proper management and validation of authenticators like session tokens, mitigating insufficient token validation vulnerabilities.

SC-23 Session Authenticity good match

prevent

SC-23 protects session authenticity through mechanisms that verify tokens, countering remote manipulation for unauthorized logins.

Security SummaryAI

CVE-2020-36948 is a session token vulnerability in the LoginAs module of VestaCP version 0.9.8-26. The flaw arises from insufficient token validation, enabling remote attackers to manipulate authentication tokens and bypass proper checks.

The vulnerability can be exploited by unauthenticated remote attackers over the network with low attack complexity and no user interaction required, as indicated by its CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and association with CWE-863 (Incorrect Authorization). Successful exploitation allows attackers to access user accounts and perform unauthorized login requests without administrative permissions.

Advisories from VulnCheck and Vulnerability Lab, along with a proof-of-concept exploit on Exploit-DB, document the issue, while the official VestaCP site provides related information. No specific patch details are outlined in the available references.

Details

CWE(s): CWE-863

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing VestaCP web application allows remote unauthenticated attackers to manipulate session tokens for unauthorized account access, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://vestacp.com/
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/49219
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/vestacp-loginas-insufficient-session-validation
disclosure@vulncheck.com
https://www.vulnerability-lab.com/get_content.php?id=2240
disclosure@vulncheck.com
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/49219
134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.vulnerability-lab.com/get_content.php?id=2240
134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
134c704f-9b21-4f2e-91b3-4a467353bcc0