cbcvebase.
CVE-2021-3007
published 2021-01-04

CVE-2021-3007: Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
75.31%
99.5th percentile
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized

Affected

9 ranges
VendorProductVersion rangeFixed in
getlaminaslaminas-http< 2.14.22.14.2
laminaslaminas-http>= 0 < 2.14.22.14.2
openmagemagento< 19.4.1319.4.13
openmagemagento>= 20.0.0 < 20.0.920.0.9
openmagemagento-lts<= 19.4.12
openmagemagento-lts>= 0 < 19.4.1319.4.13
openmagemagento-lts>= 20.0.0 < 20.0.920.0.9
zendzend_framework
zendframeworkzendframework0 – 3.0.0

Detection & IOCsextracted from sources · hover to see the quote

path/zend3/public/
otherBot nickname format: [HAX| System OS | Machine Type | CPU count ] 8-12 random letters
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Zend Framework Exploit (CVE-2021-3007)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:14; content:"/zend3/public/"; fast_pattern; http.request_body; content:"zend"; nocase; content:"validator"; nocase; distance:0; content:"callback"; nocase; distance:0; content:"file_put_contents"; nocase; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; reference:cve,2021-3007; classtype:attempted-admin; sid:2031536; rev:2; metadata:created_at 2021_01_22, cve CVE_2021_3007, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_25;)
bytes
TzoyNToiWmVuZFxIdHRwXFJlc3BvbnNlXFN0cmVhbSI6Mjp7czoxMDoiACoAY2xlYW51cCI7YjoxO3M6MTM6IgAqAHN0cmVhbU5hbWUiO086MjU6IlplbmRcVmlld1xIZWxwZXJcR3JhdmF0YXIiOjI6e3M6NzoiACoAdmlldyI7TzozMDoiWmVuZFxWaWV3XFJlbmRlcmVyXFBocFJlbmRlcmVyIjoxOntzOjQxOiIAWmVuZFxWaWV3XFJlbmRlcmVyXFBocFJlbmRlcmVyAF9faGVscGVycyI7TzoxODoiWmVuZFxDb25maWdcQ29uZmlnIjoxOntzOjc6IgAqAGRhdGEiO2E6Mjp7czoxMDoiZXNjYXBlaHRtbCI7czo2OiJzeXN0ZW0iO3M6MTQ6ImVzY2FwZWh0bWxhdHRyIjtzOjc6InBocGluZm8iO319fXM6MTM6IgAqAGF0dHJpYnV0ZXMiO2E6MTp7
bytes
TzoyODoiTGFtaW5hc1xIdHRwXFJlc3BvbnNlXFN0cmVhbSI6Mjp7czoxMDoiACoAY2xlYW51cCI7YjoxO3M6MTM6IgAqAHN0cmVhbU5hbWUiO086Mjg6IkxhbWluYXNcVmlld1xIZWxwZXJcR3JhdmF0YXIiOjI6e3M6NzoiACoAdmlldyI7TzozMzoiTGFtaW5hc1xWaWV3XFJlbmRlcmVyXFBocFJlbmRlcmVyIjoxOntzOjQ0OiIATGFtaW5hc1xWaWV3XFJlbmRlcmVyXFBocFJlbmRlcmVyAF9faGVscGVycyI7TzoyMToiTGFtaW5hc1xDb25maWdcQ29uZmlnIjoxOntzOjc6IgAqAGRhdGEiO2E6Mjp7czoxMDoiZXNjYXBlaHRtbCI7czo2OiJzeXN0ZW0iO3M6MTQ6ImVzY2FwZWh0bWxhdHRyIjtzOjc6InBocGluZm8iO319fXM6MTM6IgAqAGF0dHJpYnV0ZXMiO2E6MTp7
  • FreakOut bots communicate over IRC. Detect outbound IRC connections where the NICK message matches the pattern '[HAX|' prefix, indicating a FreakOut bot registration.
  • The malware gains persistence by adding itself to rc.local. Monitor for modifications to /etc/rc.local by unexpected processes.
  • Shodan query 'http.html:"laminas"' can be used to identify exposed Laminas/Zend Framework instances potentially vulnerable to CVE-2021-3007.
  • CVE-2021-3007 was actively exploited by the FreakOut botnet alongside CVE-2020-28188 (TerraMaster TOS) and CVE-2020-7961 (Liferay Portal). Detections for any one of these CVEs should prompt investigation for the other two.
  • ·The out.py malware is polymorphically re-obfuscated on every download — function names and variable names change each time, making static hash-based detection unreliable.
  • ·All C2 connection credentials (IRC server, channel, key) are obfuscated and encoded multiple times within the malware code itself, requiring dynamic analysis or code unpacking to extract.
  • ·The Nuclei template exploit requires attacker-controlled serialized data to be submitted as a POST body parameter; the specific parameter name ('hello' in the template) may vary in real-world exploitation.
  • ·Zend Framework is no longer supported upstream; patches for CVE-2021-3007 were backported to magento-lts (versions 19.4.13 and 20.0.9) from Zend Framework 3, and the canonical fix is to migrate to laminas-http >= 2.14.2.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.