CVE-2020-36908
CSRF in SnapGear SG560 3.1.5 Enables Admin Account Creation
Publication date: 2026-01-06
Last updated on: 2026-02-23
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| securecomputing | snapgear_sg560_firmware | 3.1.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) in SnapGear Management Console SG560 version 3.1.5u1. It allows an attacker to trick a logged-in administrative user into visiting a malicious web page that automatically submits a hidden form. This form creates a new super user account with full administrative privileges without the user's consent, exploiting the system's failure to validate the legitimacy of administrative HTTP requests. [1, 2, 3]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized privilege escalation by allowing attackers to add a new superuser account with full administrative rights. This compromises the security of the SnapGear appliance, potentially giving attackers full control over the device, which can lead to further attacks, data breaches, or disruption of network security functions. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP POST requests to the administrative endpoint /cgi-bin/cgix/adminusers that attempt to create new super user accounts without proper authorization. Specifically, look for POST requests containing parameters such as login name, full name, password, and access control flags (acl.login, acl.admin, acl.diags, acl.saverestore, acl.setpassword) all set to "on". Network traffic analysis tools or web server logs can be used to identify such suspicious requests. Commands like 'tcpdump' or 'Wireshark' can capture HTTP traffic, and 'grep' can be used on web server logs to search for POST requests to /cgi-bin/cgix/adminusers with these parameters. For example, a command to search Apache logs might be: grep "/cgi-bin/cgix/adminusers" /var/log/apache2/access.log | grep POST [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the SnapGear Management Console SG560 administrative interface to trusted networks or IP addresses, implementing CSRF protections such as tokens to validate legitimate requests, and educating users to avoid visiting untrusted or suspicious websites while logged into the management console. Additionally, monitoring for unauthorized creation of super user accounts and applying any available patches or updates from the vendor is recommended. [1, 2, 3]