cbcvebase.
CVE-2021-23758
published 2021-12-03

CVE-2021-23758: All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
88.77%
99.8th percentile
All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
ajaxpro.2_projectajaxpro.2< unspecifiedunspecified
ajaxpro.2_projectajaxpro.2< 21.10.30.121.10.30.1

Detection & IOCsextracted from sources · hover to see the quote

url/ajaxpro/
bytes
|5f 5f|type
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT AjaxPro RCE Attempt (CVE-2021-23758)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajaxpro/"; fast_pattern; http.request_body; content:"|5f 5f|type"; content:"Object"; nocase; reference:url,twitter.com/sirifu4k1/status/1470647490; reference:cve,2021-23758; classtype:attempted-admin; sid:2034729; rev:2; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_23758, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Exploit traffic is an HTTP POST request to a URI containing '/ajaxpro/' with a JSON body containing the '__type' key (bytes 5f 5f followed by 'type') and the string 'Object' (case-insensitive). Monitor for this pattern on inbound web traffic.
  • A vulnerable default method exists in the AjaxPro namespace for versions prior to 21.10.30.1, allowing deserialization without any custom code. Post-patch, exploitation still possible if any custom method accepts a parameter of a type assignable from ObjectDataProvider (e.g., 'object').
  • The exploit constructs malicious JSON data sent to the target, which is deserialized by the AjaxPro JsonDeserializer. Inspect JSON POST bodies to /ajaxpro/ endpoints for unexpected '__type' fields referencing .NET types such as ObjectDataProvider.
  • ·Versions prior to 21.10.30.1 are vulnerable via a built-in default method. Version 21.10.30.1 removed the vulnerable method but remains exploitable if any custom application method accepts a parameter type assignable from ObjectDataProvider.
  • ·The Snort/ET rule (sid:2034729) targets perimeter and internal deployment and is classified as high confidence / major severity. Ensure it is deployed on both network perimeters and internal segments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.