CVE-2020-37095
Buffer Overflow in Cyberoam Client Enables Remote Code Execution
Publication date: 2026-02-07
Last updated on: 2026-02-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cyberoam | authentication_client | to 2.1.2.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2020-37095 is a critical stack-based buffer overflow vulnerability in Cyberoam Authentication Client version 2.1.2.7 and earlier. It occurs due to improper handling of input in the 'Cyberoam Server Address' field, allowing attackers to overwrite the Structured Exception Handler (SEH) memory."}, {'type': 'paragraph', 'content': 'Exploitation of this vulnerability enables remote attackers to execute arbitrary code with system-level privileges by triggering a bind TCP shell on port 1337.'}] [1, 2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows attackers to execute arbitrary code on the affected system with system-level access, which can lead to full control over the device.'}, {'type': 'list_item', 'content': "Remote code execution via a crafted input in the 'Cyberoam Server Address' field."}, {'type': 'list_item', 'content': 'Spawning a bind TCP shell on port 1337, enabling remote command execution.'}, {'type': 'list_item', 'content': 'Potential compromise of confidentiality, integrity, and availability of the system.'}] [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking if the Cyberoam Authentication Client version 2.1.2.7 or earlier is installed on the system, as these versions contain the buffer overflow flaw in the 'Cyberoam Server Address' field."}, {'type': 'paragraph', 'content': 'Additionally, detection can involve monitoring for unusual network activity, specifically a bind TCP shell listening on port 1337, which is the port exploited by attackers to gain system-level access.'}, {'type': 'list_item', 'content': 'On Windows systems, use the command: netstat -ano | findstr :1337 to check if port 1337 is open and listening.'}, {'type': 'list_item', 'content': 'Use tasklist or Process Explorer to identify any suspicious processes that might be associated with the exploit.'}, {'type': 'list_item', 'content': 'Check the installed software version by reviewing the Cyberoam Authentication Client version to confirm if it is 2.1.2.7 or earlier.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating or patching the Cyberoam Authentication Client to a version later than 2.1.2.7 where this vulnerability is fixed.'}, {'type': 'paragraph', 'content': "If an update is not immediately available, restrict local access to the affected system to prevent attackers from exploiting the buffer overflow via the 'Cyberoam Server Address' input."}, {'type': 'paragraph', 'content': 'Monitor and block inbound and outbound traffic on TCP port 1337 to prevent attackers from connecting to the bind shell spawned by the exploit.'}, {'type': 'paragraph', 'content': 'Educate users to avoid interacting with suspicious inputs or prompts in the Cyberoam Authentication Client that could trigger the vulnerability.'}] [1, 2]