Vulnerability Summary

MyLittleAdmin is a web-based management tool specially designed for MS SQL Server. It fully works with MS SQL Server. While the product appears to be discontinued (no new releases since 2013) it is still being offered on the company web site as well as part of the optional installation of Plesk. Furthermore, there are numerous active installations present on the Internet. An unauthenticated RCE vulnerability in the product allows remote attackers to execute arbitrary commands within the context of the IIS application engine.

Affected Systems

MyLittleAdmin version 3.8, we suspect older versions are also affected but have no way to verify it.

An alert has been sent to all hosting control panels to quickly remove Windows-based hosting control panels For example: If MyLittleAdmin is installed, it can run arbitrary code on behalf of IUSRPLESK_sqladmin.

Solution

You must immediately uninstall the installed plug-in.

You can learn more about the problem from the sources below.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13166
https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/
https://support.plesk.com/hc/en-us/articles/360013996240