CVE-2020-36906

Vulnerability

Overview CVE-2020-36906 is a cross‑site request forgery (CSRF) vulnerability in the P5 FNIP‑8x16A and FNIP‑4xSH relay modules running firmware version 1.0.20. The product’s web interface fails to implement any anti‑CSRF tokens or origin validation, allowing an attacker to forge requests that execute with the privileges of an authenticated administrator [1][2].

Attack

Vector and Exploitation An attacker can host a malicious HTML page that automatically submits a form to the device’s user.cgi endpoint (e.g., via an auto‑submitting `` with hidden fields). If a logged‑in administrator visits the attacker’s page, the browser automatically includes the victim’s session cookies, and the device processes the request as legitimate. The exploitation requires no authentication from the attacker and can be executed remotely as long as the victim is authenticated to the target device [2][4].

Impact

Successful exploitation allows an unauthenticated remote attacker to add new administrative users, change passwords, and modify system configurations — effectively granting full control over the relay module. This can lead to unauthorized access to the device and, depending on the deployment, enable further lateral movement within the control network [1][4].

Mitigation

The vulnerability was disclosed in January 2020 by Zero Science Lab (ZSL‑2020‑5564) and published on the Exploit Database in April 2020. As of the advisory publication date, no patch has been announced by the vendor; users are advised to restrict network access to the management interface and apply strict firewall rules to minimize the attack surface [1][2][4].