Attacker Value



(1 user assessed) High
Attack Vector
Privileges Required
User Interaction


** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Add Assessment

Technical Analysis

Cayin CMS systems have an AUTHENTICATED RCE in the NTP configuration. The system didn’t install correctly on Ubuntu 20.04 at the time the exploit was released, and the company recommends Ubuntu 16.04, unknown if 18.04 will work. Grants root on Ubuntu.

Requires creds, default for CMS-SE was administrator:admin, but the original write-up mentions webadmin:bctvadmin.

CMS system can come on hardware devices. CMS-SE the exploitable file is system_service.cgi however the original vuln write-up mentions system.cgi, so it looks like there is a variance between the hardware devices and the Ubuntu installer. YMMV.

After authentication, the exploit is against the NTP server IP field. During testing of CMS-SE the Update button/functionality was used. Clicking save did not have an immediate effect, and Test worked, but executed 3 times. If your payload is small, you could use Test, however with a larger payload like meterp, it was determined that the payload was writing 3 times in each stage… So if the payload chunks were A, B, C, the payload ended up AAABBBCCC.
Due to character limit, any payload that isn’t small will need to go through a cmdstager type chunking. The field can take ~200 characters, believed to be about ~230 but 200 was used in the exploit to allow for padding.

General Information

Additional Info

Technical Analysis