cbcvebase.
CVE-2021-20837
published 2021-10-26

CVE-2021-20837: Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
88.14%
99.7th percentile
Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability.

Affected

5 ranges
VendorProductVersion rangeFixed in
six_apart_ltdmovable_type
sixapartmovable_type<= 1.46
sixapartmovable_type4.0 – 6.3.11
sixapartmovable_type6.5.0 – 6.8.2
sixapartmovable_type7.0 – 7.8.1

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/mt/mt-xmlrpc.cgi
path/cgi-bin/mt/mt-xmlrpc.cgi
commandmt.handler_to_coderef
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible MovableTypePoC RCE Inbound (CVE-2021-20837)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"mt-xmlrpc.cgi"; fast_pattern; http.request_body; content:""; distance:0; base64_decode:offset 0,relative; base64_data; content:"|60|"; startswith; reference:cve,2021-20837; classtype:attempted-admin; sid:2034366; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_20837, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2023_04_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|60|
  • Exploit sends a POST request to mt-xmlrpc.cgi with Content-Type text/xml and a base64-encoded backtick-wrapped OS command inside the XMLRPC body targeting the mt.handler_to_coderef method.
  • The injected command is base64-encoded and wrapped in backticks (ASCII 0x60 / |60|); detecting a base64 blob starting with the backtick character (0x60) in the XMLRPC POST body to mt-xmlrpc.cgi is a reliable exploit indicator.
  • Nuclei template checks for the string 'failed loading package' in the HTTP 200 response body as a confirmation of successful command injection via the XMLRPC endpoint.
  • Shodan/FOFA queries can identify exposed Movable Type instances as pre-exploitation reconnaissance targets.
  • The exploit encodes the OS command as base64(backtick + cmd + backtick) and places it inside the XMLRPC scalar value field; look for unusually structured XMLRPC POST bodies with base64 content in the scalar element sent to mt-xmlrpc.cgi.
  • Default Metasploit module uses PAYLOAD cmd/unix/reverse_netcat, so outbound netcat reverse shell connections from the web server process are a strong post-exploitation indicator.
  • ·The default RPORT for the Metasploit module is 80 and the default TARGETURI is /cgi-bin/mt/; installations may differ in URI path or port, so detection rules should not be limited to port 80 alone.
  • ·All versions of Movable Type 4.0 or later, including unsupported (End-of-Life, EOL) versions, are affected; detection/patching scope must include legacy EOL deployments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.