CVE-2021-30461
published 2021-05-29CVE-2021-30461: A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
36.63%
98.3th percentile
A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configuration.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| voipmonitor | voipmonitor | < 24.61 | 24.61 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for POST requests to /index.php containing both 'SPOOLDIR' and 'recheck' parameters in the body, especially where SPOOLDIR contains PHP function calls or code injection patterns (e.g., system(), passthru(), exec()).
- →Shodan/FOFA fingerprint for exposed VoIPmonitor instances: search for HTTP title 'VoIPmonitor' or 'voipmonitor' to identify attack surface.
- →Successful exploitation response body will contain 'uid=', 'gid=', 'groups=' (output of the 'id' command) alongside 'VoIPmonitor installation' — monitor HTTP responses for this combination.
- →The vulnerability is unauthenticated; no session cookie or prior login is required. Any POST to /index.php with the recheck parameter from an unauthenticated source should be treated as suspicious.
- ·The injection point is the 'recheck' workflow: the SPOOLDIR parameter is only written into config/configuration.php when the 'recheck' option is invoked, so exploitation requires that specific POST parameter to be present. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h672-6987-6r49: A remote code execution issue was discovered in the web UI of VoIPmonitor before 24
ghsa_unreviewed·2022-05-24
CVE-2021-30461 [CRITICAL] CWE-94 GHSA-h672-6987-6r49: A remote code execution issue was discovered in the web UI of VoIPmonitor before 24
A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configuration.php.
VulnCheck
voipmonitor voipmonitor Improper Control of Generation of Code ('Code Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-30461 [CRITICAL] voipmonitor voipmonitor Improper Control of Generation of Code ('Code Injection')
voipmonitor voipmonitor Improper Control of Generation of Code ('Code Injection')
A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configuration.php.
Affected: voipmonitor voipmonitor
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-06&host_type=src&vulnerability=cve-2021-30461; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-07&host_type=src&vulnerability=cve-2021-30461; https
No detection rules found.
Nuclei
VoipMonitor <24.61 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-30461 [CRITICAL] VoipMonitor <24.61 - Remote Code Execution
VoipMonitor <24.61 - Remote Code Execution
VoipMonitor prior to 24.61 is susceptible to remote code execution vulnerabilities because of its use of user supplied data via its web interface, allowing remote unauthenticated users to trigger a remote PHP code execution vulnerability.
Template:
id: CVE-2021-30461
info:
name: VoipMonitor <24.61 - Remote Code Execution
author: shifacyclewala,hackergautam
severity: critical
description: |
VoipMonitor prior to 24.61 is susceptible to remote code execution vulnerabilities because of its use of user supplied data via its web interface, allowing remote unauthenticated users to trigger a remote PHP code execution vulnerability.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected
2021-05-29
Published
Exploited in the wild