CVE-2020-36904
Remote Code Execution in Selea CarPlateServer via Config Manipulation
Publication date: 2025-12-31
Last updated on: 2025-12-31
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| selea | carplateserver | 3.100 |
| selea | carplateserver | 3.005 |
| selea | carplateserver | 4.013 |
| selea | carplateserver | 4.0.1.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-36904 is a critical remote code execution vulnerability in Selea CarPlateServer versions up to 4.0.1.6. It allows attackers to bypass authentication on the /cps/ endpoint and manipulate the NO_LIST_EXE_PATH configuration parameter to execute arbitrary Windows binaries on the server. This means an attacker can run any program they choose remotely, including changing admin passwords and executing system commands, without needing any privileges or user interaction. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to a complete compromise of the affected system. Attackers can execute arbitrary code remotely, bypass authentication, modify server configurations, change administrator and user passwords, and potentially cause denial of service (DoS). This puts the system's security and integrity at significant risk, allowing unauthorized access and control over the traffic control and road safety system. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Selea CarPlateServer software version 3.005 through 4.0.1.6 is running on your system. You can monitor network traffic for unauthorized POST requests to the /cps/ endpoint, especially those targeting /config_request?ACTION=WRITE with JSON payloads attempting to set the NO_LIST_EXE_PATH parameter. A practical detection method includes capturing HTTP requests to the /cps/ endpoint and looking for attempts to modify configuration parameters without authentication. For example, using curl or similar tools to test access: curl -X POST http://<server-ip>/cps/config_request?ACTION=WRITE -d '{"NO_LIST_EXE_PATH":"C:/windows/system32/calc.exe"}' -H "Content-Type: application/json" to see if the server accepts such requests without authentication. Additionally, network intrusion detection systems (NIDS) can be configured to alert on such suspicious POST requests to the /cps/ endpoint. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restrict network access to the /cps/ endpoint to trusted IP addresses only, preventing unauthorized access from external or untrusted sources. 2) Apply any available patches or updates from Selea that address this vulnerability, as newer firmware and software versions have fixed most issues. 3) If patches are not immediately available, disable or block access to the vulnerable configuration endpoint (/cps/) to prevent exploitation. 4) Monitor logs for suspicious activity related to configuration changes or unauthorized POST requests. 5) Change all administrator and user passwords to prevent unauthorized access if compromise is suspected. 6) Consider implementing network-level protections such as firewalls or web application firewalls (WAF) to block malicious requests targeting this vulnerability. [2, 3]