Aptus Web - RCE (CVE-2020-7980)
102Exploiting IPs reported
Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed.
CrowdSec analysis
CVE-2020-7980 describes a remote code execution vulnerability in Intellian Aptus Web 1.24, where attackers can execute arbitrary operating system commands by exploiting the Q field in JSON data sent to the cgi-bin/libagent.cgi endpoint. Successful exploitation may require a valid session cookie, potentially allowing attackers with access to the default account to fully compromise the affected system. This vulnerability could be leveraged for complete system takeover, data theft, or further network intrusion.
CrowdSec has been tracking this vulnerability and its exploits since 30th of June 2025.
Insights from the CrowdSec network reveal that the attackers trying to exploit CVE-2020-7980 are composed of a fairly even mix of opportunistic and targeted actors. Some attackers employ preliminary reconnaissance, while others use indiscriminate scanning. CrowdSec data also reveals a clear uptick in attacks involving CVE-2020-7980 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.
Attackers exploit this vulnerability by sending POST requests to /cgi-bin/libagent.cgi?type=J, attempting remote code execution via crafted JSON payloads.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Common Weakness Enumeration (CWE)
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.