cbcvebase.
CVE-2021-3129
published 2021-01-12

CVE-2021-3129: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-10-09
Exploited in the wild
EPSS
99.94%
100.0th percentile
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.

Affected

5 ranges
VendorProductVersion rangeFixed in
facadeignition< 2.5.22.5.2
facadeignition>= 0 < 1.6.151.6.15
facadeignition>= 1.7.0 < 1.16.141.16.14
facadeignition>= 2.0.0 < 2.4.22.4.2
facadeignition>= 2.5.0 < 2.5.22.5.2

Detection & IOCsextracted from sources · hover to see the quote

url/_ignition/execute-solution
  • Monitor for HTTP POST requests targeting the /_ignition/execute-solution endpoint, especially with base64-encoded payloads in the request body, as this is the attack vector for CVE-2021-3129 exploitation.
  • CVE-2021-3129 is actively exploited by the RUBYCARP botnet to gain initial access to Laravel applications; look for shellbot (Perl-based) payloads connecting to IRC-based C2 channels post-exploitation.
  • CVE-2021-3129 is included in the Necro Python bot's exploit arsenal; watch for Necro bot spreading activity (IRC C2, XMRig miner installation, .bootstrap.sh dropper script) following Laravel exploitation.
  • Stolen credentials from systems vulnerable to CVE-2021-3129 have been traced to LLM jacking campaigns; monitor for unexpected InvokeModel API calls or ValidationException errors with max_tokens_to_sample set to -1 after a Laravel compromise.
  • Use GreyNoise to identify IPs opportunistically scanning for or exploiting CVE-2021-3129 at scale to prioritize patching and block mass-exploitation sources.
  • ·The vulnerability is only exploitable when Laravel debug mode is enabled in production; sites running Laravel >= 8.4.2 or Ignition >= 2.5.2 are not affected.
  • ·The exploit abuses insecure usage of file_get_contents() and file_put_contents() in Ignition; detection rules should account for these PHP file operation calls being triggered via the debug route.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.