cbcvebase.
CVE-2021-1499
published 2021-05-06

CVE-2021-1499: A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an…

PriorityP265medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EXPLOIT
EPSS
80.43%
99.6th percentile
A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user.

Affected

4 ranges
VendorProductVersion rangeFixed in
ciscocisco_hyperflex_hx_data_platform
ciscohyperflex_hx_data_platform< 4.0\(2e\)4.0\(2e\)
ciscohyperflex_hx_data_platform>= 4.5 < 4.5\(2a\)4.5\(2a\)
ciscohyperflex_hx_data_platform_file_upload

Detection & IOCsextracted from sources · hover to see the quote

url/upload
path../../../../../tmp/passwd9
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex HX Data Platform Pre-Auth RCE Inbound (CVE-2021-1499)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload"; http.request_body; content:"name=|22|"; content:"filename=|22|../../"; fast_pattern; reference:cve,2021-1499; classtype:attempted-admin; sid:2033907; rev:1; metadata:attack_target Server, created_at 2021_09_07, cve CVE_2021_1499, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_09_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
name=|22|
bytes
filename=|22|../../
  • Detect unauthenticated HTTP POST requests to the /upload endpoint on HyperFlex management interfaces; no authentication headers should be present.
  • Look for path traversal sequences (e.g., ../../) in the multipart form-data filename field of POST requests to /upload, indicating directory traversal attempts.
  • Successful exploitation response contains JSON keys '{"result":' and '"filename:' along with the uploaded path; match these in HTTP 200 responses to confirm exploitation.
  • Emerging Threats rule SID 2033907 covers inbound exploitation attempts; deploy at perimeter and internal sensors with high confidence.
  • Monitor for new files appearing under /tmp/ owned by the tomcat8 user following POST requests to /upload, as a post-exploitation indicator.
  • ·The vulnerability exists specifically because the /upload endpoint requires no authentication; there are no workarounds — only patching resolves the issue.
  • ·Uploaded files are written with tomcat8 user permissions, limiting but not eliminating post-exploitation impact; chaining with other vulnerabilities can lead to full RCE.
  • ·Cisco bug IDs CSCvx36028 and CSCvx52126 track this issue; ensure both are addressed when applying patches.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_cisco5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.