cbcvebase.
CVE-2021-3317
published 2021-01-26

CVE-2021-3317: KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.

PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
41.39%
98.5th percentile
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
klogserverklog_server<= 2.4.1

Detection & IOCsextracted from sources · hover to see the quote

path/actions/async.php
url/actions/async.php?action=stream&source=;<command>;
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Klog Server Command Injection Inbound (CVE-2021-3317)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/async.php?action="; content:"&source=|3b|"; fast_pattern; reference:cve,2021-3317; classtype:attempted-admin; sid:2032638; rev:1; metadata:attack_target Server, created_at 2021_04_09, cve CVE_2021_3317, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_04_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
bytes
&source=|3b|
  • Monitor HTTP requests to /actions/async.php where the 'source' query parameter contains a semicolon (URL-encoded as %3b or |3b|), indicating shell command injection attempts.
  • The exploit performs a POST to /actions/authenticate.php for login (HTTP 302 redirect on success), followed immediately by a GET to /actions/async.php?action=stream&source=;<cmd>;. Correlate these two sequential requests from the same source IP as a strong exploitation signal.
  • The Snort/Suricata rule (ET SID 2032638) triggers on HTTP POST to URIs matching /async.php?action= with &source=|3b| (semicolon byte). Deploy or tune this rule on perimeter and internal sensors.
  • The injected command runs as uid=48(apache) gid=48(apache). Alert on apache-owned processes spawning unexpected child processes (e.g., /bin/sh, id, whoami) as a host-based detection signal.
  • ·Exploitation requires prior authentication; the attacker must supply valid credentials before injecting commands via the source parameter.
  • ·The PoC uses allow_redirects=False and verify=False (TLS verification disabled), meaning the server may be using a self-signed certificate; detection rules should cover both HTTP and HTTPS traffic.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.