CVE-2020-37144
CSRF in Exagate SYSGuard 6001 Enables Unauthorized Admin Creation
Publication date: 2026-02-05
Last updated on: 2026-02-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| exagate | sysguard | 6001 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The vulnerability is a Cross-Site Request Forgery (CSRF) in Exagate SYSGuard 6001. It allows attackers to create unauthorized administrative accounts by tricking users into submitting a malicious HTML form. This form sends a crafted POST request to the /kulyon.php endpoint, which adds a new user with administrative privileges without the victim's consent."}, {'type': 'paragraph', 'content': 'The attacker exploits the CSRF flaw by embedding hidden fields in the form that specify the username, password, and privilege level for the new admin user. When the victim unknowingly submits this form, the attacker gains administrative access to the system.'}] [2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can lead to unauthorized administrative access to the SYSGuard 6001 system. An attacker can add a new admin user without authorization, potentially allowing them to control, manipulate, or disrupt the system's operations."}, {'type': 'paragraph', 'content': 'Such unauthorized access could compromise the security and integrity of the monitored infrastructure, leading to potential data manipulation, loss of control over environmental monitoring, and increased risk of further attacks.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized POST requests to the /kulyon.php endpoint that attempt to create new administrative users. Specifically, look for HTTP POST requests containing parameters that add a user with administrative privileges.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or web server logs to detect suspicious activity. For example, using command-line tools like curl or tcpdump to inspect traffic or grep to search logs for POST requests to /kulyon.php.'}, {'type': 'list_item', 'content': "Check web server access logs for POST requests to /kulyon.php: grep 'POST /kulyon.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "Use tcpdump to capture HTTP POST traffic to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/kulyon.php'"}, {'type': 'list_item', 'content': 'Use curl to test the vulnerability by submitting a crafted POST request similar to the exploit form.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /kulyon.php endpoint to trusted users only and implementing CSRF protection mechanisms such as tokens to prevent unauthorized form submissions.
Additionally, monitor and audit user account creation activities to detect any unauthorized administrative accounts.
If possible, update or patch the SYSGuard 6001 software to a version that addresses this vulnerability or contact the vendor for security updates.
As a temporary measure, consider disabling the vulnerable functionality or restricting HTTP methods to prevent POST requests to the vulnerable script.