CVE-2020-37153

CriticalPublic PoC

Published: 11 February 2026

Published

11 February 2026

Modified

20 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0018 38.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

ASTPP 4.0.1 contains multiple vulnerabilities including cross-site scripting and command injection in SIP device configuration and plugin management interfaces. Attackers can exploit these flaws to inject system commands, hijack administrator sessions, and potentially execute arbitrary code with root permissions through…

cron task manipulation.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the XSS and command injection flaws in ASTPP's SIP device configuration and plugin management interfaces through timely patching and flaw correction.

SI-10 Information Input Validation good match

prevent

Prevents command injection and XSS exploitation by validating and sanitizing all user inputs to the vulnerable SIP device configuration and plugin management interfaces.

AC-3 Access Enforcement good match

prevent

Enforces authentication and authorization to block unauthenticated remote access to the exploited SIP device configuration and plugin management interfaces.

Security SummaryAI

CVE-2020-37153 is a set of multiple vulnerabilities in ASTPP 4.0.1, including cross-site scripting (CWE-79) and command injection flaws within the SIP device configuration and plugin management interfaces. ASTPP is an open-source VoIP billing and provisioning system. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to the potential for high-impact remote exploitation.

Unauthenticated attackers can exploit these issues remotely over the network with low complexity and no user interaction required. Exploitation enables injection of system commands, hijacking of administrator sessions via cross-site scripting, and execution of arbitrary code with root permissions through manipulation of cron tasks, compromising confidentiality, integrity, and availability.

Advisories and related resources include the official ASTPP GitHub repository at https://github.com/iNextrix/ASTPP, the project website at https://www.astppbilling.org/, a proof-of-concept exploit on Exploit-DB at https://www.exploit-db.com/exploits/47889, and a VulnCheck advisory detailing ASTPP VoIP remote code execution at https://www.vulncheck.com/advisories/astpp-voip-remote-code-execution. Practitioners should consult these for mitigation guidance and patch details.

Details

CWE(s): CWE-79

Affected Products

inextrix

astpp

4.0.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated command injection in public-facing web interfaces enables remote exploitation of public-facing application (T1190) and Unix shell command execution (T1059.004); XSS facilitates session hijacking but primarily covered under exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/iNextrix/ASTPP
Product · disclosure@vulncheck.com
https://www.astppbilling.org/
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/47889
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/astpp-voip-remote-code-execution
Third Party Advisory · disclosure@vulncheck.com