CVE-2020-36910

Description

Cayin Signage Media Player 3.0 contains an authenticated remote command injection vulnerability in system.cgi and wizard_system.cgi pages. Attackers can exploit the 'NTP_Server_IP' parameter with default credentials to execute arbitrary shell commands as root.

PUBLISHED Reserved 2026-01-03 | Published 2026-01-06 | Updated 2026-01-06 | Assigner VulnCheck

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.exploit-db.com/exploits/48557 (ExploitDB-48557) exploit

www.cayintech.com (Cayin Technology Official Website) product

www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5569.php (Zero Science Lab Disclosure (ZSL-2020-5569)) third-party-advisory

packetstorm.news/files/id/157942 (Packet Storm Security Exploit Entry) exploit

exchange.xforce.ibmcloud.com/vulnerabilities/182924 (IBM X-Force Vulnerability Exchange) vdb-entry

cxsecurity.com/issue/WLB-2020060049 (CXSecurity Vulnerability Listing) exploit

www.vulncheck.com/...ote-command-injection-via-ntp-parameter (VulnCheck Advisory: Cayin Signage Media Player 3.0 Authenticated Remote Command Injection via NTP Parameter) third-party-advisory

cve.org (CVE-2020-36910)

nvd.nist.gov (CVE-2020-36910)

Download JSON