CVE-2009-20011
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-30

Last updated on: 2025-09-02

Assigner: VulnCheck

Description
ContentKeeper Web Appliance (now maintained by Impero Software) versions prior to 125.10 are vulnerable to remote command execution due to insecure handling of file uploads via the mimencode CGI utility. The vulnerability allows unauthenticated attackers to upload and execute arbitrary scripts as the Apache user. Additionally, the exploit can optionally escalate privileges by abusing insecure PATH usage in the benetool binary, resulting in root-level access if successful.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-30
Last Modified
2025-09-02
Generated
2026-06-16
AI Q&A
2025-08-30
EPSS Evaluated
2026-06-14
NVD
CVE-2009-20011
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
contentkeeper contentkeeper_web_appliance 125.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

Detection can be performed by sending a GET request to the vulnerable CGI script endpoint `/cgi-bin/ck/mimencode` and checking for a "500 Internal" server response, which indicates the presence of the vulnerability. For example, using curl: `curl -i http://<target-ip>/cgi-bin/ck/mimencode` and inspecting the HTTP status code. Additionally, monitoring for unusual POST requests uploading base64-encoded payloads to this endpoint may indicate exploitation attempts. [2]

Executive Summary

This vulnerability affects ContentKeeper Web Appliance versions prior to 125.10 and allows unauthenticated remote attackers to upload and execute arbitrary scripts on the server via the mimencode CGI utility. The exploit involves sending specially crafted requests to upload malicious payloads that run as the Apache user. Additionally, attackers can optionally escalate privileges to root by abusing insecure PATH usage in the benetool binary, enabling root-level access if successful. [1, 2]

Impact Analysis

The vulnerability can lead to remote code execution on the affected system without any authentication or user interaction. Attackers can execute arbitrary commands as the Apache user and potentially escalate privileges to root, resulting in full system compromise. This impacts confidentiality, integrity, and availability of the system, allowing attackers to control system components and security attributes. [1, 2]

Mitigation Strategies

Immediate mitigation steps include upgrading the ContentKeeper Web Appliance to version 125.10 or later, where the vulnerability is fixed. If upgrading is not immediately possible, restrict access to the `/cgi-bin/ck/mimencode` CGI script by network controls such as firewall rules to prevent unauthenticated remote access. Also, monitor and block suspicious POST requests attempting to upload files to this endpoint. After any exploitation attempt, ensure to check and remove any unauthorized setuid root binaries (e.g., `/bin/bash` with setuid bit set) and restore original system files. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2009-20011. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart