What is the CVSS score of CVE-2020-37153?

CVE-2020-37153 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of AWS are affected by CVE-2020-37153?

ASTPP 4.0.1 contains critical vulnerabilities (CVSS 9.8) affecting SIP device configuration and plugin management that could allow attackers to execute arbitrary commands or inject malicious code.

Is there a public PoC exploit available for CVE-2020-37153?

Yes, a public proof-of-concept exploit is available for CVE-2020-37153. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2020-37153?

Within 24 hours: Identify all systems running ASTPP 4.0.1 and assess their network exposure; disable plugin management and SIP device configuration interfaces if not actively required. Within 7 days: Implement WAF rules to block exploitation attempts targeting vulnerable endpoints; apply input validation and output encoding controls; conduct threat hunting for signs of exploitation. Within 30 days: Evaluate upgrading to patched ASTPP version or alternative VoIP platform; if upgrade unavailable, establish compensating controls including network segmentation, access controls, and enhanced monitoring.

AWS CVE-2020-37153

CRITICAL

Cross-site Scripting (XSS) (CWE-79)

2026-02-11 disclosure@vulncheck.com

AWS XSS Command Injection Astpp

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:02 vuln.today

PoC Detected

Feb 20, 2026 - 20:22 vuln.today

Public exploit code

CVE Published

Feb 11, 2026 - 21:16 nvd

CRITICAL 9.8

DescriptionCVE.org

ASTPP 4.0.1 contains multiple vulnerabilities including cross-site scripting and command injection in SIP device configuration and plugin management interfaces. Attackers can exploit these flaws to inject system commands, hijack administrator sessions, and potentially execute arbitrary code with root permissions through cron task manipulation.

AnalysisAI

Multiple vulnerabilities in ASTPP 4.0.1 including XSS and command injection in SIP device configuration and plugin management. PoC available.

Technical ContextAI

CWE-79 and command injection in ASTPP, an open-source VoIP billing platform.

RemediationAI

Update ASTPP.

CVE-2020-37153 vulnerability details – vuln.today

Back

AWS CVE-2020-37153

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code