CVE-2020-37168 Overview
CVE-2020-37168 affects Ecommerce Systempay 1.0, a payment integration module that uses a 16-character production secret key to sign payment requests. The implementation relies on SHA1 hashing combined with a short, brute-forceable key, classified under [CWE-328] Use of Weak Hash. An attacker can capture a legitimate payment form submission, extract the signed parameters, and iteratively test candidate keys against the captured SHA1 signature until the correct production key is recovered. Once the key is known, attackers can forge valid signatures, tamper with transaction amounts, and submit fraudulent payments to the merchant backend.
Critical Impact
Recovery of the production signing key allows attackers to forge payment signatures and manipulate transaction amounts processed by the merchant.
Affected Products
- Ecommerce Systempay 1.0
- Merchant integrations using the SystemPay free payment module
- Any deployment relying on the 16-character production key for SHA1 signing
Discovery Timeline
- 2026-05-13 - CVE-2020-37168 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2020-37168
Vulnerability Analysis
The Ecommerce Systempay 1.0 module generates a signature for each payment request by concatenating form parameters with a production secret key and hashing the result using SHA1. The signature, along with all signed parameters, travels in the POST body sent to the payment endpoint. An attacker positioned to observe a single legitimate request, including their own test payment, possesses everything required to mount an offline brute force attack: the cleartext parameters and the resulting SHA1 hash.
The key space is limited to 16 characters drawn from a constrained character set. Modern hardware can compute SHA1 at rates exceeding billions of hashes per second, making exhaustive search practical depending on the alphabet and any predictable structure in the key. Once the key is recovered, the attacker can re-sign arbitrary payment payloads with altered amounts, currency, or order identifiers and submit them as authentic merchant requests.
Root Cause
The root cause is the combined use of a fast, unsalted SHA1 hash and a short fixed-length secret for transaction integrity. SHA1 was not designed as a password or key-derivation function and offers no computational hardness against brute force. The protocol lacks a server-side nonce, per-transaction salt, or HMAC construction with a key length sufficient to resist offline recovery.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker initiates a legitimate payment flow, captures the POST request containing the signed parameters and the SHA1 signature, then performs offline key recovery. After deriving the production key, the attacker crafts arbitrary signed payloads and submits them directly to the SystemPay endpoint, bypassing the integrity control entirely. See the VulnCheck Advisory for SystemPay and Exploit-DB #48017 for additional technical detail.
Detection Methods for CVE-2020-37168
Indicators of Compromise
- Repeated POST requests to the SystemPay payment endpoint from a single source with varying vads_amount values and identical session identifiers.
- Successful payment confirmations where the captured amount differs from the cart total recorded in the merchant database.
- Outbound traffic patterns consistent with key search activity, such as bursts of identical-format requests preceding a successful transaction.
Detection Strategies
- Reconcile every SystemPay callback against the originating order record and flag mismatches between vads_amount, vads_currency, and the merchant-side order total.
- Monitor for transactions signed with the production key but originating from IP addresses or user agents that did not perform the corresponding checkout flow.
- Alert on payment submissions that bypass the standard checkout sequence, for example callbacks without a preceding cart-creation event.
Monitoring Recommendations
- Enable detailed logging of all parameters and signatures on the payment endpoint and retain logs long enough to support fraud investigation.
- Integrate payment gateway logs with a SIEM and build correlation rules between web application logs, order database state, and payment confirmation events.
- Track aggregate metrics such as average transaction value and refund-to-sale ratio for early detection of amount tampering.
How to Mitigate CVE-2020-37168
Immediate Actions Required
- Rotate the SystemPay production key immediately and treat any historically exposed key as compromised.
- Migrate to a current, vendor-supported SystemPay integration that uses HMAC-SHA256 signatures rather than plain SHA1.
- Enforce server-side validation of vads_amount and order identifiers against the merchant order database before fulfilling any transaction.
Patch Information
No fixed version is referenced in the NVD entry for Ecommerce Systempay 1.0. Merchants should consult the SystemPay Documentation and the SystemPay Free Payment Module for current integration guidance and replace the deprecated 1.0 module with a supported release that implements HMAC-SHA256.
Workarounds
- Configure the SystemPay merchant back office to enforce HMAC-SHA256 signing and reject SHA1-signed requests.
- Restrict the payment endpoint at the web server or WAF layer to require expected referrers and rate-limit signature verification failures.
- Implement a server-to-server confirmation step that re-queries SystemPay for transaction status rather than trusting client-relayed callbacks.
# Configuration example: enforce HMAC-SHA256 and reconcile amounts server-side
# 1. In the SystemPay merchant back office, set signature algorithm to HMAC-SHA256
# 2. Rotate the production key after the change
# 3. Reject any inbound callback signed with SHA1
# 4. Validate the returned amount against the order record before fulfillment
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
