← back
CVE-2020-8657

CVE-2020-8657

CVSS 9.8 CRITICALEPSS 91.9%● KEVCWE-798
In short

EyesOfNetwork 5.3 uses the same hardcoded API key for all installations by default, allowing attackers to guess the admin access token and gain unauthorized control.

Technical detail

The application employs a hardcoded, identical API key across all default installations (CWE-798: Use of Hard-coded Credentials). An unauthenticated attacker can derive valid admin authentication tokens without requiring any legitimate credentials, leading to complete compromise of the monitoring system.

Summary generated and translated by AI from the official description.
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found2
cve_referencepacketstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/48169unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.htmlhttps://github.com/EyesOfNetworkCommunity/eonapi/issues/17https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8657