CVE-2020-25860
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.
El módulo install.c en el cliente de actualización de Pengutronix RAUC versiones anteriores a 1.5, presenta una vulnerabilidad Time-of-Check Time-of-Use, donde la verificación de la firma en un archivo de actualización toma lugar antes de que el archivo reabierto para la instalación. Un atacante que pueda modificar el archivo de actualización justo antes de que se vuelva a abrir puede instalar código arbitrario en el dispositivo
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-09-23 CVE Reserved
- 2020-12-21 CVE Published
- 2023-01-27 First Exploit
- 2024-08-04 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
CAPEC
References (3)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Pengutronix Search vendor "Pengutronix" | Rauc Search vendor "Pengutronix" for product "Rauc" | < 1.5 Search vendor "Pengutronix" for product "Rauc" and version " < 1.5" | - |
Affected
| ||||||