CVE-2020-8657

EyesOfNetwork Use of Hard-Coded Credentials Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.

Se detectó un problema en EyesOfNetwork versión 5.3. La instalación utiliza la misma clave de la API (embebida como EONAPI_KEY en el archivo include/api_functions.php para la API versión 2.4.2) por defecto para todas las instalaciones, lo que permite a un atacante calcular y adivinar el token de acceso de administrador.

EyesOfNetwork contains a use of hard-coded credentials vulnerability, as it uses the same API key by default. Exploitation allows an attacker to calculate or guess the admin access token.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2020-02-06 CVE Reserved
2020-02-06 CVE Published
2020-03-03 First Exploit
2021-11-03 Exploited in Wild
2022-05-03 KEV Due Date
2025-02-04 CVE Updated
2025-02-17 EPSS Updated

CWE

CWE-798: Use of Hard-coded Credentials

CAPEC

References (5)

URL	Tag	Source
https://github.com/EyesOfNetworkCommunity/eonapi/issues/17	Third Party Advisory
https://github.com/h4knet/eonrce

URL	Date	SRC
https://packetstorm.news/files/id/156605	2020-03-03
https://www.exploit-db.com/exploits/48169	2020-03-05
http://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.html	2025-02-04

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Eyesofnetwork Search vendor "Eyesofnetwork"		Eyesofnetwork Search vendor "Eyesofnetwork" for product "Eyesofnetwork"				5.3-0 Search vendor "Eyesofnetwork" for product "Eyesofnetwork" and version "5.3-0"		-		Affected