cbcvebase.
CVE-2021-27964
published 2021-03-05

CVE-2021-27964: SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File Upload. An attacker can send a POST request to /Config/SaveUploadedHotspotLogoFile without…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
46.02%
98.7th percentile
SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File Upload. An attacker can send a POST request to /Config/SaveUploadedHotspotLogoFile without any authentication or session header. There is no check for the file extension or content of the uploaded file.

Affected

1 ranges
VendorProductVersion rangeFixed in
sfcyazilimsonlogger< 6.4.16.4.1

Detection & IOCsextracted from sources · hover to see the quote

url/Config/SaveUploadedHotspotLogoFile
url/Assets/temp/hotspot/img/logohotspot.asp
url/shared/GetProductInfo
path/Assets/temp/hotspot/img/
port5000
  • Detect unauthenticated POST requests to /Config/SaveUploadedHotspotLogoFile with multipart/form-data content-type and no session/auth headers — indicative of CVE-2021-27964 exploitation attempt.
  • Monitor for GET requests to /Assets/temp/hotspot/img/ following a POST to /Config/SaveUploadedHotspotLogoFile — this two-step pattern (upload then execute) is the standard exploitation chain for this CVE.
  • Alert on POST requests to /shared/GetProductInfo used as a pre-exploitation fingerprinting/check step against SonLogger instances.
  • Look for the HTTP request header 'X-Requested-With: XMLHttpRequest' combined with multipart file upload to /Config/SaveUploadedHotspotLogoFile as a detection signal.
  • Use the FOFA/Shodan query body="SonLogger" to identify exposed SonLogger instances for proactive asset discovery and patching prioritization.
  • Nuclei template detection: confirm exploitation by verifying a 200 response to /Config/SaveUploadedHotspotLogoFile with JSON body containing 'Message', followed by a 200 response retrieving the uploaded file from /Assets/temp/hotspot/img/.
  • ·The Metasploit module targets SonLogger on Windows platforms only (x86/x64); the uploaded payload is a .asp webshell, so exploitation requires the web server to support ASP execution.
  • ·The vulnerability affects SonLogger versions before 6.4.1; the Metasploit module was tested on version 4.2.3.3. The check endpoint /shared/GetProductInfo returns a JSON 'Version' field that can be used to confirm a vulnerable version.
  • ·The default target port for SonLogger is 5000, not the standard HTTP port 80/443 — ensure network monitoring and firewall rules cover this non-standard port.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.