CVE-2021-20837
published 2021-10-26CVE-2021-20837: Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
88.14%
99.7th percentile
Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| six_apart_ltd | movable_type | — | — |
| sixapart | movable_type | <= 1.46 | — |
| sixapart | movable_type | 4.0 – 6.3.11 | — |
| sixapart | movable_type | 6.5.0 – 6.8.2 | — |
| sixapart | movable_type | 7.0 – 7.8.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible MovableTypePoC RCE Inbound (CVE-2021-20837)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"mt-xmlrpc.cgi"; fast_pattern; http.request_body; content:""; distance:0; base64_decode:offset 0,relative; base64_data; content:"|60|"; startswith; reference:cve,2021-20837; classtype:attempted-admin; sid:2034366; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_20837, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2023_04_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|60|
- →Exploit sends a POST request to mt-xmlrpc.cgi with Content-Type text/xml and a base64-encoded backtick-wrapped OS command inside the XMLRPC body targeting the mt.handler_to_coderef method. ↗
- →The injected command is base64-encoded and wrapped in backticks (ASCII 0x60 / |60|); detecting a base64 blob starting with the backtick character (0x60) in the XMLRPC POST body to mt-xmlrpc.cgi is a reliable exploit indicator.
- →Nuclei template checks for the string 'failed loading package' in the HTTP 200 response body as a confirmation of successful command injection via the XMLRPC endpoint.
- →Shodan/FOFA queries can identify exposed Movable Type instances as pre-exploitation reconnaissance targets.
- →The exploit encodes the OS command as base64(backtick + cmd + backtick) and places it inside the XMLRPC scalar value field; look for unusually structured XMLRPC POST bodies with base64 content in the scalar element sent to mt-xmlrpc.cgi. ↗
- →Default Metasploit module uses PAYLOAD cmd/unix/reverse_netcat, so outbound netcat reverse shell connections from the web server process are a strong post-exploitation indicator. ↗
- ·The default RPORT for the Metasploit module is 80 and the default TARGETURI is /cgi-bin/mt/; installations may differ in URI path or port, so detection rules should not be limited to port 80 alone. ↗
- ·All versions of Movable Type 4.0 or later, including unsupported (End-of-Life, EOL) versions, are affected; detection/patching scope must include legacy EOL deployments. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fq4q-8q83-6gj7: Movable Type 7 r
ghsa_unreviewed·2022-05-24
CVE-2021-20837 [CRITICAL] CWE-78 GHSA-fq4q-8q83-6gj7: Movable Type 7 r
Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability.
VulnCheck
sixapart movable_type Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-20837 [CRITICAL] sixapart movable_type Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
sixapart movable_type Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability.
Affected: sixapart movable_type
Required Action: Apply remediations or mitigations per vendor instructio
Suricata
ET EXPLOIT Possible MovableTypePoC RCE Inbound (CVE-2021-20837)
suricata·2021-11-09·CVSS 9.8
CVE-2021-20837 [CRITICAL] ET EXPLOIT Possible MovableTypePoC RCE Inbound (CVE-2021-20837)
ET EXPLOIT Possible MovableTypePoC RCE Inbound (CVE-2021-20837)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible MovableTypePoC RCE Inbound (CVE-2021-20837)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"mt-xmlrpc.cgi"; fast_pattern; http.request_body; content:""; distance:0; base64_decode:offset 0,relative; base64_data; content:"|60|"; startswith; reference:cve,2021-20837; classtype:attempted-admin; sid:2034366; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_20837, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2023_04_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploi
Exploit-DB
Movable Type 7 r.5002 - XMLRPC API OS Command Injection (Metasploit)
exploitdb·2021-10-29
CVE-2021-20837 Movable Type 7 r.5002 - XMLRPC API OS Command Injection (Metasploit)
Movable Type 7 r.5002 - XMLRPC API OS Command Injection (Metasploit)
---
class MetasploitModule "Movable Type XMLRPC API Remote Command Injection",
'Description' => %q{
This module exploit Movable Type XMLRPC API Remote Command Injection.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Etienne Gervais', # author & msf module,
'Charl-Alexandre Le Brun' # author & msf module
],
'References' =>
[
['CVE', '2021-20837'],
['URL', 'https://movabletype.org/'],
['URL', 'https://nemesis.sh/']
],
'DefaultOptions' =>
{
'SSL' => false,
},
'Platform' => ['linux'],
'Arch' => ARCH_CMD,
'Privileged' => false,
'DisclosureDate' => "2021-10-20",
'DefaultTarget' => 0,
'Targets' => [
[
'Automatic (Unix In-Memory)',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'DefaultOptions' => { 'PAYLOAD'
Nuclei
MovableType - Remote Command Injection
nuclei·CVSS 9.8
CVE-2021-20837 [CRITICAL] MovableType - Remote Command Injection
MovableType - Remote Command Injection
MovableType 5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8. 2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors.
Template:
id: CVE-2021-20837
info:
name: MovableType - Remote Command Injection
author: dhiyaneshDK,hackergautam
severity: critical
description: MovableType 5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8. 2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vec
Nuclei
Movable Type Security Checks
nuclei·CVSS 9.8
CVE-2021-20837 [CRITICAL] Movable Type Security Checks
Movable Type Security Checks
A simple workflow that runs all Movable related nuclei templates on a given target.
Template:
id: movable-workflow
info:
name: Movable Type Security Checks
author: dhiyaneshDk
description: A simple workflow that runs all Movable related nuclei templates on a given target.
workflows:
- template: http/technologies/default-movable-page.yaml
subtemplates:
- template: http/cves/2021/CVE-2021-20837.yaml
- template: http/exposed-panels/movable-type-login.yaml
subtemplates:
- template: http/cves/2021/CVE-2021-20837.yaml
Unit42
Network Security Trends: November 2021 to January 2022
blogs_unit42·2022-05-31
Network Security Trends: November 2021 to January 2022
Threat Research Center
Threat Research
Vulnerabilities
## Network Security Trends: November 2021 to January 2022
Yue Guan
Published: May 31, 2022
Threat Research
Vulnerabilities
Apache Log4j
Attack analysis
Denial of service
Exploit in Wild
Network security trends
## Executive Summary
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from November 2021 to January 2022. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, for example, cross-site scripting or denial of service.
Cross-site scripting stood out as a commonly used t
Unit42
Network Security Trends: November 2021 to January 2022
blogs_unit42·2022-05-31·CVSS 9.8
[CRITICAL] Network Security Trends: November 2021 to January 2022
## Executive Summary
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from November 2021 to January 2022. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, for example, cross-site scripting or denial of service.
Cross-site scripting stood out as a commonly used technique. Among around 6,443 newly published vulnerabilities, we found that a large portion (almost 10.6%) still involve this technique. However, by evaluating around 167 million attack sessions and focusing on the latest exploits in the wild, we conclude that remote code execution
http://packetstormsecurity.com/files/164705/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.htmlhttp://packetstormsecurity.com/files/164818/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.htmlhttps://jvn.jp/en/jp/JVN41119755/index.htmlhttps://movabletype.org/news/2021/10/mt-782-683-released.htmlhttp://packetstormsecurity.com/files/164705/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.htmlhttp://packetstormsecurity.com/files/164818/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.htmlhttps://jvn.jp/en/jp/JVN41119755/index.htmlhttps://movabletype.org/news/2021/10/mt-782-683-released.html
2021-10-26
Published
Exploited in the wild