CVE-2021-32648
published 2021-08-26CVE-2021-32648: octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password…
PriorityP196critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-02-01
Exploited in the wild
EPSS
90.42%
99.8th percentile
octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| october | system | >= 0 < 1.0.472 | 1.0.472 |
| october | system | >= 1.1.1 < 1.1.5 | 1.1.5 |
| octobercms | october | — | — |
| octobercms | october | — | — |
| octobercms | october | — | — |
| octobercms | october | >= 1.1.1 < 1.1.5 | 1.1.5 |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /backend/backend/auth/reset/1/{{reset_token}} HTTP/1.1
Content-Type: application/json
{"_token":"{{csrf_token}}","postback":1,"id":1,"code":true,"password":"{{password}}"}
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT OctoberCMS Auth Bypass Inbound M1 trigger_reset (CVE-2021-32648)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/backend/backend/auth/restore"; http.request_body; content:"_token="; startswith; content:"&postback=1"; content:"&login=admin"; reference:url,github.com/Immersive-Labs-Sec/CVE-2021-32648/blob/main/cve-2021-32648.py; reference:cve,2021-32648; classtype:attempted-admin; sid:2034929; rev:1;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT OctoberCMS Auth Bypass Inbound M2 set_password (CVE-2021-32648)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/backend/backend/auth/reset/1/"; http.request_body; content:"{"; startswith; content:"_token"; content:"postback"; content:"id"; content:"code"; content:"true"; content:"password"; reference:url,github.com/Immersive-Labs-Sec/CVE-2021-32648/blob/main/cve-2021-32648.py; reference:cve,2021-32648; classtype:attempted-admin; sid:2034930; rev:1;)- →Exploit step 1 (trigger_reset): Look for HTTP POST to /backend/backend/auth/restore with body containing _token=, &postback=1, and &login=admin — this initiates the password reset for the admin account. ↗
- →Exploit step 2 (set_password): Look for HTTP POST to /backend/backend/auth/reset/1/ with a JSON body containing "code":true — the boolean true value is the exploit payload that bypasses the reset code check. ↗
- →Successful exploitation results in an HTTP 302 redirect response to the password reset endpoint, followed by a successful login producing Set-Cookie headers for both october_session and admin_auth. ↗
- →The vulnerability is in Auth/Models/User.php (checkResetPasswordCode function, line 281) where == is used instead of === for reset code comparison, allowing boolean true to match any string. ↗
- →Palo Alto Networks Threat Prevention Threat ID 92199 covers detection of this vulnerability for NGFW customers. ↗
- →Shodan query http.component:"october cms" can be used to identify internet-facing OctoberCMS instances potentially vulnerable to this CVE.
- ·The vulnerability is only exploitable when the server is running PHP below version 7.4, because PHP 7.4+ enforces stricter type handling that prevents the boolean true bypass. ↗
- ·The exploit targets account ID 1 (the default admin account) in the reset URL path /backend/backend/auth/reset/1/; installations where the admin account has a different ID may require a modified exploit path.
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
vulncheck8.2HIGH
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
October CMS auth bypass and account takeover
ghsa·2021-08-30·CVSS 9.1
CVE-2021-29487 [CRITICAL] CWE-287 October CMS auth bypass and account takeover
October CMS auth bypass and account takeover
### Impact
An attacker can exploit this vulnerability to bypass authentication using a specially crafted persist cookie.
- To exploit this vulnerability, an attacker must obtain a Laravel’s secret key for cookie encryption and signing.
- Due to the logic of how this mechanism works, a targeted user account must be logged in while
the attacker is exploiting the vulnerability.
- Authorization via persist cookie not shown in access logs.
### Patches
- Issue has been patched in Build 472 and v1.1.5
- [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648)
### Workarounds
Apply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b82
OSV
October CMS auth bypass and account takeover
osv·2021-08-30·CVSS 9.1
CVE-2021-29487 [CRITICAL] October CMS auth bypass and account takeover
October CMS auth bypass and account takeover
### Impact
An attacker can exploit this vulnerability to bypass authentication using a specially crafted persist cookie.
- To exploit this vulnerability, an attacker must obtain a Laravel’s secret key for cookie encryption and signing.
- Due to the logic of how this mechanism works, a targeted user account must be logged in while
the attacker is exploiting the vulnerability.
- Authorization via persist cookie not shown in access logs.
### Patches
- Issue has been patched in Build 472 and v1.1.5
- [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648)
### Workarounds
Apply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b82
OSV
Account Takeover in Octobercms
osv·2021-08-30·CVSS 9.1
CVE-2021-32648 [CRITICAL] Account Takeover in Octobercms
Account Takeover in Octobercms
### Impact
An attacker can request an account password reset and then gain access to the account using a specially crafted request.
- To exploit this vulnerability, an attacker must know the username of an administrator and have access to the password reset form.
### Patches
- Issue has been patched in Build 472 and v1.1.5
- [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648)
### Workarounds
Apply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 to your installation manually if you are unable to upgrade.
[**Update 2022-01-20**] [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648)
GHSA
Account Takeover in Octobercms
ghsa·2021-08-30·CVSS 9.1
CVE-2021-32648 [CRITICAL] CWE-287 Account Takeover in Octobercms
Account Takeover in Octobercms
### Impact
An attacker can request an account password reset and then gain access to the account using a specially crafted request.
- To exploit this vulnerability, an attacker must know the username of an administrator and have access to the password reset form.
### Patches
- Issue has been patched in Build 472 and v1.1.5
- [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648)
### Workarounds
Apply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 to your installation manually if you are unable to upgrade.
[**Update 2022-01-20**] [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648)
VulnCheck
October CMS Improper Authentication
vulncheck·2021·CVSS 8.2
CVE-2021-32648 [HIGH] CWE-287 October CMS Improper Authentication
October CMS Improper Authentication
In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.
Affected: October CMS October CMS
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.ptsecurity.com/ww-en/analytics/cyberthreats-in-the-public-sector/
Exploit PoC: https://vulncheck.com/xdb/9efd406c8865
Remediation Due: 2022-02-01
CISA
October CMS Improper Authentication
cisa·2022-01-18·CVSS 9.1
CVE-2021-32648 [CRITICAL] CWE-287 October CMS Improper Authentication
Vulnerability: October CMS Improper Authentication
Affected: October CMS October CMS
In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-32648
Remediation Due Date: 2022-02-01
Suricata
ET EXPLOIT OctoberCMS Auth Bypass Inbound M2 set_password (CVE-2021-32648)
suricata·2022-01-18·CVSS 8.2
CVE-2021-32648 [HIGH] ET EXPLOIT OctoberCMS Auth Bypass Inbound M2 set_password (CVE-2021-32648)
ET EXPLOIT OctoberCMS Auth Bypass Inbound M2 set_password (CVE-2021-32648)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT OctoberCMS Auth Bypass Inbound M2 set_password (CVE-2021-32648)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/backend/backend/auth/reset/1/"; http.request_body; content:"{"; startswith; content:"_token"; content:"postback"; content:"id"; content:"code"; content:"true"; content:"password"; reference:url,github.com/Immersive-Labs-Sec/CVE-2021-32648/blob/main/cve-2021-32648.py; reference:cve,2021-32648; classtype:attempted-admin; sid:2034930; rev:1; metadata:attack_target Server, created_at 2022_01_18, cve CVE_2021_32648, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag E
Suricata
ET EXPLOIT OctoberCMS Auth Bypass Inbound M1 trigger_reset (CVE-2021-32648)
suricata·2022-01-18·CVSS 8.2
CVE-2021-32648 [HIGH] ET EXPLOIT OctoberCMS Auth Bypass Inbound M1 trigger_reset (CVE-2021-32648)
ET EXPLOIT OctoberCMS Auth Bypass Inbound M1 trigger_reset (CVE-2021-32648)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT OctoberCMS Auth Bypass Inbound M1 trigger_reset (CVE-2021-32648)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/backend/backend/auth/restore"; http.request_body; content:"_token="; startswith; content:"&postback=1"; content:"&login=admin"; reference:url,github.com/Immersive-Labs-Sec/CVE-2021-32648/blob/main/cve-2021-32648.py; reference:cve,2021-32648; classtype:attempted-admin; sid:2034929; rev:1; metadata:attack_target Server, created_at 2022_01_18, cve CVE_2021_32648, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_18, mitre
Nuclei
OctoberCMS - Account Takeover
nuclei·CVSS 9.1
CVE-2021-32648 [CRITICAL] OctoberCMS - Account Takeover
OctoberCMS - Account Takeover
octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.
Template:
id: CVE-2021-32648
info:
name: OctoberCMS - Account Takeover
author: daffainfo
severity: high
description: |
octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.
impact: |
Unauthenticated attackers can request password resets and g
Unit42
Threat Brief: Ongoing Russia and Ukraine Cyber Activity
blogs_unit42·2022-01-20·CVSS 8.2
CVE-2021-32648 [HIGH] Threat Brief: Ongoing Russia and Ukraine Cyber Activity
Threat Research Center
High Profile Threats
Malware
## Threat Brief: Ongoing Russia and Ukraine Cyber Activity
Robert Falcone
Mike Harbison
Josh Grunzweig
Published: January 20, 2022
High Profile Threats
Malware
Vulnerabilities
CVE-2021-32648
OctoberCMS
Russia
Ukraine
WhisperGate
Windows
## Executive Summary
Beginning on Jan. 14, 2022, reports began emerging about a series of attacks targeting numerous Ukrainian government websites. As a result of these attacks, numerous government websites were found to be either defaced or inaccessible. As a result of this, the government of Ukraine formally accused Russia of masterminding these attacks against their websites.
A day later, public reporting outlined new malware called WhisperGate that originally was observed on Jan.
Unit42
Threat Brief: Ongoing Russia and Ukraine Cyber Activity
blogs_unit42·2022-01-20·CVSS 8.2
CVE-2021-32648 [HIGH] Threat Brief: Ongoing Russia and Ukraine Cyber Activity
## Executive Summary
Beginning on Jan. 14, 2022, reports began emerging about a series of attacks targeting numerous Ukrainian government websites. As a result of these attacks, numerous government websites were found to be either defaced or inaccessible. As a result of this, the government of Ukraine formally accused Russia of masterminding these attacks against their websites.
A day later, public reporting outlined new malware called WhisperGate that originally was observed on Jan. 13, 2022. This malware disables Windows Defender Threat Protection, is destructive in nature and was discovered to have targeted multiple organizations in Ukraine. Microsoft has publicly attributed the use of this custom malware to a threat actor they refer to as DEV-0586.
Though both attacks have targeted
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Greynoiseio
Malicious Tag Roundup (January 2022)
blogs_greynoiseio
Malicious Tag Roundup (January 2022)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rchttps://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rchttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-32648
2021-08-26
Published
2022-01-18
Added to CISA KEV
Exploited in the wild