Supsystic Ultimate Maps SQLi: Unauthenticated RCE Risk
The National Vulnerability Database highlights CVE-2020-37242, an SQL injection flaw in Supsystic Ultimate Maps 1.1.12. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by manipulating the ‘sidx’ GET parameter. The CVSS score of 8.2 (HIGH) reflects the severity, indicating a critical risk.
Attackers can leverage this flaw by sending crafted requests to the getListForTbl action. They can employ boolean-based blind or time-based blind SQL injection payloads to extract sensitive information directly from the underlying database. This direct access to database contents poses a significant risk of data exfiltration.
While specific affected products beyond version 1.1.12 are not detailed by the National Vulnerability Database, any organization using this plugin, especially older versions, should consider themselves exposed. This type of SQLi allows for full database compromise, a common initial access vector for broader network penetration. Defenders need to prioritize patching or mitigation immediately.
What This Means For You
- If your organization uses Supsystic Ultimate Maps, particularly version 1.1.12 or earlier, you are at direct risk of unauthenticated database compromise. Attackers can extract sensitive data or potentially gain further access to your web server. Immediately identify all instances of this plugin, audit for indicators of compromise, and apply any available patches or remove the plugin if it's not critical.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2020-37242 - Supsystic Ultimate Maps SQLi via sidx parameter
title: CVE-2020-37242 - Supsystic Ultimate Maps SQLi via sidx parameter
id: scw-2026-05-16-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit the Supsystic Ultimate Maps SQL injection vulnerability (CVE-2020-37242) by looking for the 'sidx' GET parameter combined with common SQL injection keywords like 'ORDER BY' and 'UNION SELECT' in the web server logs. This indicates an unauthenticated attacker is trying to extract data.
author: SCW Feed Engine (AI-generated)
date: 2026-05-16
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2020-37242/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '?sidx='
cs-uri-query|contains:
- 'ORDER BY'
cs-uri-query|contains:
- 'UNION SELECT'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2020-37242 | SQLi | Supsystic Ultimate Maps 1.1.12 |
| CVE-2020-37242 | SQLi | GET parameter 'sidx' |
| CVE-2020-37242 | SQLi | getListForTbl action |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 16, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
WordPress Plugin Backup and Restore: Arbitrary File Deletion Exposes Installations
CVE-2021-47979 — WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in...
TextPattern CMS RCE via Plugin Upload (CVE-2021-47976)
CVE-2021-47976 — TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload...
EgavilanMedia PHPCRUD SQLi Exposes Unauthenticated Data Access
CVE-2021-47956 — EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname...