CVE-2020-37002
Authentication Bypass in Ajenti 2.1.36 Enables Remote Code Execution
Publication date: 2026-01-29
Last updated on: 2026-01-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ajenti | ajenti | 2.1.36 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-37002 is an authentication bypass vulnerability in Ajenti version 2.1.36 that allows remote attackers to execute arbitrary commands after successfully logging in. Attackers exploit the /api/terminal/create endpoint to send a netcat reverse shell payload, which opens a remote shell connection to a specified IP address and port, enabling full remote code execution on the server. [1, 2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution on the affected server. An attacker with valid credentials can gain full shell access, potentially leading to data theft, system compromise, disruption of services, and further network penetration. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or suspicious use of the /api/terminal/create endpoint on Ajenti 2.1.36, especially POST requests that include netcat reverse shell payloads. Detection commands could include inspecting web server logs or using network monitoring tools to identify outgoing connections initiated by netcat (nc) commands. For example, you can use commands like `grep '/api/terminal/create' /var/log/nginx/access.log` to find suspicious API calls, or `netstat -anp | grep nc` to detect active netcat connections. Additionally, monitoring for unexpected reverse shell connections on unusual ports can help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the Ajenti management interface to trusted IP addresses, enforcing strong authentication and credential management since the exploit requires valid credentials, and monitoring or blocking usage of the /api/terminal/create endpoint. Applying any available patches or updates to Ajenti that address this vulnerability is critical. Additionally, disabling or restricting the terminal API functionality if not needed can reduce risk. [1, 2]