cbcvebase.
CVE-2021-30461
published 2021-05-29

CVE-2021-30461: A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
36.63%
98.3th percentile
A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configuration.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
voipmonitorvoipmonitor< 24.6124.61

Detection & IOCsextracted from sources · hover to see the quote

url/index.php
commandSPOOLDIR=test".system(id)."&recheck=Recheck
pathconfig/configuration.php
  • Look for POST requests to /index.php containing both 'SPOOLDIR' and 'recheck' parameters in the body, especially where SPOOLDIR contains PHP function calls or code injection patterns (e.g., system(), passthru(), exec()).
  • Shodan/FOFA fingerprint for exposed VoIPmonitor instances: search for HTTP title 'VoIPmonitor' or 'voipmonitor' to identify attack surface.
  • Successful exploitation response body will contain 'uid=', 'gid=', 'groups=' (output of the 'id' command) alongside 'VoIPmonitor installation' — monitor HTTP responses for this combination.
  • The vulnerability is unauthenticated; no session cookie or prior login is required. Any POST to /index.php with the recheck parameter from an unauthenticated source should be treated as suspicious.
  • ·The injection point is the 'recheck' workflow: the SPOOLDIR parameter is only written into config/configuration.php when the 'recheck' option is invoked, so exploitation requires that specific POST parameter to be present.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.