Aptus Web - RCE (CVE-2020-7980)

CVE-2020-7980 describes a remote code execution vulnerability in Intellian Aptus Web 1.24, where attackers can execute arbitrary operating system commands by exploiting the Q field in JSON data sent to the cgi-bin/libagent.cgi endpoint. Successful exploitation may require a valid session cookie, potentially allowing attackers with access to the default account to fully compromise the affected system. This vulnerability could be leveraged for complete system takeover, data theft, or further network intrusion.

CrowdSec has been tracking this vulnerability and its exploits since 30th of June 2025.

CrowdSec network observations suggest that most exploitation of CVE-2020-7980 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. CrowdSec network telemetry also shows that exploitation of CVE-2020-7980 has significantly declined over the past week. Attack volumes are well below the long-term average, suggesting attackers are rapidly losing interest. The vulnerability appears to be falling out of active use across most threat landscapes.

Attackers exploit this vulnerability by sending POST requests to /cgi-bin/libagent.cgi?type=J, attempting remote code execution via crafted JSON payloads.