Apache APISIX Default Admin API Token Remote Code Execution (CVE-2020-13945)
Overview
Apache APISIX Default Admin API Token Remote Code Execution, tracked primarily as CVE-2020-13945, affects vulnerable Apache APISIX deployments. APISIX is a cloud-native API gateway used to manage traffic, routes, plugins, and administrative API configuration in microservice environments.
Vulnerability Overview
CVE-2020-13945 exists when the APISIX Admin API is enabled, IP restriction rules are removed, and the default Admin API token remains usable. In that state, the default token can access APISIX management data and administrative configuration.
This Hackviser lab also models the later APISIX exposure tracked as CVE-2022-24112, where the batch-requests plugin can be abused to bypass Admin API IP restrictions. When a default admin key is still in use, that bypass can turn management-plane access into remote code execution in affected APISIX deployments.
Impact
CVE-2020-13945 has a CVSS 3.1 score of 6.5 and is rated Medium in NVD. By itself, the issue centers on unauthorized access to APISIX management data when unsafe Admin API settings and the default token are present.
The risk becomes much more severe when combined with the CVE-2022-24112 IP restriction bypass and a default API key. CVE-2022-24112 has a CVSS 3.1 score of 9.8 and is rated Critical in NVD. In that chained scenario, attackers can reach the Admin API remotely, manipulate gateway configuration, and potentially execute code through APISIX routing or plugin behavior.
Vulnerability Scope
CVE-2020-13945 affects Apache APISIX 1.2, 1.3, 1.4, and 1.5 when the Admin API is enabled, access IP restrictions are removed, and the default token is still valid. CVE-2022-24112 affects Apache APISIX before 2.10.4 and 2.11.0 through before 2.12.1 in the affected batch-requests plugin path.
The highest-risk exposure is an internet-facing APISIX gateway where the Admin API or data-plane plugin paths can be reached by untrusted clients and the admin key has not been rotated from the default value.
Lab Focus
This lab focuses on understanding how default administrative credentials, Admin API exposure, and IP restriction bypasses can combine into a high-impact gateway compromise. The goal is to practice evaluating API gateway management surfaces, default secret risk, and chained vulnerability impact from a defensive assessment perspective.