CVE-2020-6627

Name of the Vulnerable Software and Affected Versions Seagate Central NAS versions STCG2000300, STCG3000300, and STCG4000300

Description The web-management application on the affected devices allows OS command injection via mv backend launch in cirrus/application/helpers/mv backend helper.php by leveraging the "start" state and sending a check device name request.

Recommendations For versions STCG2000300, STCG3000300, and STCG4000300, consider restricting access to the mv backend launch function in cirrus/application/helpers/mv backend helper.php to minimize the risk of exploitation. As a temporary workaround, avoid sending check device name requests when the device is in the "start" state until a patch is available.