CVE-2021-27964
published 2021-03-05CVE-2021-27964: SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File Upload. An attacker can send a POST request to /Config/SaveUploadedHotspotLogoFile without…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
46.02%
98.7th percentile
SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File Upload. An attacker can send a POST request to /Config/SaveUploadedHotspotLogoFile without any authentication or session header. There is no check for the file extension or content of the uploaded file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sfcyazilim | sonlogger | < 6.4.1 | 6.4.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to /Config/SaveUploadedHotspotLogoFile with multipart/form-data content-type and no session/auth headers — indicative of CVE-2021-27964 exploitation attempt. ↗
- →Monitor for GET requests to /Assets/temp/hotspot/img/ following a POST to /Config/SaveUploadedHotspotLogoFile — this two-step pattern (upload then execute) is the standard exploitation chain for this CVE. ↗
- →Alert on POST requests to /shared/GetProductInfo used as a pre-exploitation fingerprinting/check step against SonLogger instances. ↗
- →Look for the HTTP request header 'X-Requested-With: XMLHttpRequest' combined with multipart file upload to /Config/SaveUploadedHotspotLogoFile as a detection signal. ↗
- →Use the FOFA/Shodan query body="SonLogger" to identify exposed SonLogger instances for proactive asset discovery and patching prioritization.
- →Nuclei template detection: confirm exploitation by verifying a 200 response to /Config/SaveUploadedHotspotLogoFile with JSON body containing 'Message', followed by a 200 response retrieving the uploaded file from /Assets/temp/hotspot/img/.
- ·The Metasploit module targets SonLogger on Windows platforms only (x86/x64); the uploaded payload is a .asp webshell, so exploitation requires the web server to support ASP execution. ↗
- ·The vulnerability affects SonLogger versions before 6.4.1; the Metasploit module was tested on version 4.2.3.3. The check endpoint /shared/GetProductInfo returns a JSON 'Version' field that can be used to confirm a vulnerable version. ↗
- ·The default target port for SonLogger is 5000, not the standard HTTP port 80/443 — ensure network monitoring and firewall rules cover this non-standard port. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mxm8-cmpq-g5cx: SonLogger before 6
ghsa_unreviewed·2022-05-24
CVE-2021-27964 [CRITICAL] CWE-434 GHSA-mxm8-cmpq-g5cx: SonLogger before 6
SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File Upload. An attacker can send a POST request to /Config/SaveUploadedHotspotLogoFile without any authentication or session header. There is no check for the file extension or content of the uploaded file.
VulnCheck
sfcyazilim sonlogger Unrestricted Upload of File with Dangerous Type
vulncheck·2021·CVSS 9.8
CVE-2021-27964 [CRITICAL] sfcyazilim sonlogger Unrestricted Upload of File with Dangerous Type
sfcyazilim sonlogger Unrestricted Upload of File with Dangerous Type
SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File Upload. An attacker can send a POST request to /Config/SaveUploadedHotspotLogoFile without any authentication or session header. There is no check for the file extension or content of the uploaded file.
Affected: sfcyazilim sonlogger
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2021-27964; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-23&host_type=src&vulnera
No detection rules found.
Exploit-DB
SonLogger 4.2.3.3 - Unauthenticated Arbitrary File Upload (Metasploit)
exploitdb·2021-03-15
CVE-2021-27964 SonLogger 4.2.3.3 - Unauthenticated Arbitrary File Upload (Metasploit)
SonLogger 4.2.3.3 - Unauthenticated Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'SonLogger Arbitrary File Upload Exploit',
'Description' => %q{
This module exploits an unauthenticated arbitrary file upload
via insecure POST request. It has been tested on version MSF_LICENSE,
'Author' =>
[
'Berkan Er ' # Vulnerability discovery, PoC and Metasploit module
],
'References' =>
[
['CVE', '2021-27964'],
['URL', 'https://erberkan.github.io/2021/SonLogger-vulns/']
],
'Platform' => ['win'],
'Privileged' => false,
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' =>
[
[
'SonLogger 'win'
}
],
],
'DisclosureDate' => '2021-03-01',
'DefaultTarget' => 0
)
)
Nuclei
SonLogger - Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2021-27964 [CRITICAL] SonLogger - Arbitrary File Upload
SonLogger - Arbitrary File Upload
SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File Upload. An attacker can send a POST request to /Config/SaveUploadedHotspotLogoFile without any authentication or session header. There is no check for the file extension or content of the uploaded file.
Template:
id: CVE-2021-27964
info:
name: SonLogger - Arbitrary File Upload
author: DhiyaneshDK
severity: critical
description: |
SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File Upload. An attacker can send a POST request to /Config/SaveUploadedHotspotLogoFile without any authentication or session header. There is no check for the file extension or content of the uploaded file.
impact: |
Unauthenticated attackers can upload malicious files without extension validati
No writeups or analysis indexed.
http://packetstormsecurity.com/files/161793/SonLogger-4.2.3.3-Shell-Upload.htmlhttps://github.com/erberkan/SonLogger-vulnshttps://www.sonlogger.com/releasenoteshttp://packetstormsecurity.com/files/161793/SonLogger-4.2.3.3-Shell-Upload.htmlhttps://github.com/erberkan/SonLogger-vulnshttps://www.sonlogger.com/releasenotes
2021-03-05
Published
Exploited in the wild