cbcvebase.
CVE-2021-21307
published 2021-02-11

CVE-2021-21307: Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
89.19%
99.8th percentile
Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.

Affected

6 ranges
VendorProductVersion rangeFixed in
luceelucee
luceelucee
luceelucee
luceelucee_server>= 5.3.5.00 < 5.3.5.965.3.5.96
luceelucee_server>= 5.3.6.00 < 5.3.6.685.3.6.68
luceelucee_server>= 5.3.7.00 < 5.3.7.475.3.7.47

Detection & IOCsextracted from sources · hover to see the quote

url/lucee/admin/imgProcess.cfm?file=/whatever
url/lucee/admin/imgProcess.cfm?file=/../../../context/{{randstr}}.cfm
path/lucee/admin/imgProcess.cfm
sigma
POST request to /lucee/admin/imgProcess.cfm with file path traversal parameter (e.g., file=/../../../context/)
  • Detect unauthenticated POST requests to /lucee/admin/imgProcess.cfm with a 'file' parameter containing path traversal sequences (e.g., /../../../context/) — this is the file write primitive used for RCE.
  • Monitor for creation of new .cfm files in the Lucee web context directory, especially files not deployed by normal application processes, as the exploit writes a webshell there.
  • Response body containing 'uid=', 'gid=', and 'groups=' strings from a Lucee .cfm endpoint indicates successful RCE via the webshell.
  • The exploit requires no authentication; any unauthenticated POST to /lucee/admin/imgProcess.cfm should be treated as suspicious and investigated.
  • ·The exploit uses a path traversal in the 'file' query parameter of imgProcess.cfm to write a webshell outside the admin directory into the web context. The traversal depth (/../../../context/) may vary depending on the server's directory layout.
  • ·The written webshell filename is randomized per exploitation attempt (randstr), so static filename-based detection is not reliable; focus on behavioral detection of new .cfm files and subsequent POST requests with 'cmd' parameters.
  • ·The exploit executes commands as the Tomcat user, not root; post-exploitation activity should be monitored under the Tomcat process context.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.