CVE-2020-37118 Overview
CVE-2020-37118 is a Cross-Site Request Forgery (CSRF) vulnerability affecting P5 FNIP-8x16A and FNIP-4xSH devices running firmware version 1.0.20. This vulnerability allows attackers to perform administrative actions without user interaction by crafting malicious web pages. When authenticated users visit a specially crafted page, attackers can add new admin users, change passwords, and modify system configurations without the victim's knowledge or consent.
Critical Impact
Attackers can fully compromise device administration by tricking authenticated users into loading malicious pages, enabling unauthorized creation of admin accounts and modification of system configurations.
Affected Products
- P5 FNIP-8x16A firmware version 1.0.20
- P5 FNIP-4xSH firmware version 1.0.20
Discovery Timeline
- 2026-02-05 - CVE CVE-2020-37118 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2020-37118
Vulnerability Analysis
This CSRF vulnerability exists due to the lack of proper anti-forgery token validation in the P5 FNIP device web management interface. The affected devices fail to implement adequate request validation mechanisms, allowing state-changing requests to be forged by external websites. When an authenticated administrator visits a malicious webpage while logged into the device management interface, the attacker-controlled page can submit requests to the device on behalf of the user.
The vulnerability is particularly concerning for industrial control and automation environments where these devices are commonly deployed. The network-based attack vector requires user interaction (visiting a malicious page), but the exploitation itself requires no special privileges from the attacker's perspective.
Root Cause
The root cause of CVE-2020-37118 is the absence of CSRF protection mechanisms in the device's web application. Specifically, the administrative interface does not implement CSRF tokens, same-site cookie attributes, or origin header validation. This allows cross-origin requests from attacker-controlled websites to be processed as legitimate administrative commands when a user's browser includes valid session cookies.
Attack Vector
The attack leverages the network-accessible web management interface of P5 FNIP devices. An attacker creates a malicious webpage containing hidden forms or JavaScript that automatically submits requests to the target device. When an authenticated administrator browses to the attacker's page, their browser automatically includes authentication cookies with the forged requests, causing the device to execute privileged operations such as:
- Creating new administrative user accounts
- Changing existing user passwords
- Modifying device configurations
- Altering system settings
The attack requires no direct access to the target network if the victim's browser can reach both the attacker's page and the target device.
For technical exploitation details, refer to the Zero Science Vulnerability Advisory ZSL-2020-5564 and Exploit-DB #48362.
Detection Methods for CVE-2020-37118
Indicators of Compromise
- Unexpected creation of new administrative user accounts on P5 FNIP devices
- Unauthorized password changes for existing administrative accounts
- Configuration modifications without corresponding legitimate administrative activity
- Web server logs showing administrative requests with external referrer headers
Detection Strategies
- Monitor P5 FNIP device audit logs for administrative account creation events without corresponding legitimate activity
- Implement network monitoring to detect cross-origin requests to device management interfaces
- Review web server access logs for requests containing external or suspicious referrer headers
- Deploy network intrusion detection rules to identify CSRF attack patterns targeting device management endpoints
Monitoring Recommendations
- Enable comprehensive logging on all P5 FNIP device web interfaces
- Implement alerting for any administrative account modifications
- Monitor network traffic for unusual patterns of requests to device management ports
- Conduct periodic audits of administrative user accounts to detect unauthorized additions
How to Mitigate CVE-2020-37118
Immediate Actions Required
- Restrict network access to P5 FNIP device management interfaces using firewall rules or network segmentation
- Implement strict access controls limiting administrative access to trusted network segments only
- Advise administrators to avoid browsing untrusted websites while authenticated to device management interfaces
- Consider placing devices behind a VPN to reduce attack surface
Patch Information
No vendor patch information is currently available. Organizations should monitor the P5 Security Overview page for firmware updates addressing this vulnerability. Additional details are available in the VulnCheck Advisory on CSRF and IBM X-Force Vulnerability Database.
Workarounds
- Isolate affected devices on dedicated management VLANs inaccessible from user workstations
- Implement a web application firewall (WAF) in front of device management interfaces to filter suspicious requests
- Configure browser-based protections such as strict same-site cookie policies where supported
- Require administrators to use dedicated browser profiles or separate machines for device management tasks
# Example network isolation configuration (iptables)
# Restrict access to P5 FNIP management interface (port 80/443) to trusted management subnet only
iptables -A INPUT -p tcp --dport 80 -s 192.168.100.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 192.168.100.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
