cbcvebase.
CVE-2021-35064
published 2021-07-12

CVE-2021-35064: KramerAV VIAWare, all tested versions, allow privilege escalation through misconfiguration of sudo. Sudoers permits running of multiple dangerous commands…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
70.75%
99.3th percentile
KramerAV VIAWare, all tested versions, allow privilege escalation through misconfiguration of sudo. Sudoers permits running of multiple dangerous commands, including unzip, systemctl and dpkg.

Detection & IOCsextracted from sources · hover to see the quote

path/ajaxPages/writeBrowseFilePathAjax.php
path/var/www/html/test.php
urlhttps://{host}/ajaxPages/writeBrowseFilePathAjax.php
urlhttps://{host}/test.php?cmd=sudo rpm --eval '%{lua:os.execute("<cmd>")}'
commandsudo rpm --eval '%{lua:os.execute("<cmd>")}'
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Kramer VIAware Remote Code Execution (CVE-2021-35064 CVE-2021-36356)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:38; content:"/ajaxPages/writeBrowseFilePathAjax.php"; fast_pattern; http.request_body; content:"radioBtnVal="; content:"associateFileName="; reference:cve,2021-36356; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,packetstormsecurity.com/files/166623/Kramer-VIAware-Remote-Code-Execution.html; reference:url,write-up.github.io/kramerav/; reference:cve,2021-35064; classtype:attempted-admin; sid:2036738; rev:2; metadata:attack_target Server, created_at 2022_06_01, cve CVE_2021_35064_CVE_2021_36356, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_03_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Detect POST requests to /ajaxPages/writeBrowseFilePathAjax.php with both 'radioBtnVal=' and 'associateFileName=' in the request body — the core exploit primitive for arbitrary file write.
  • The exploit writes a PHP webshell to /var/www/html/ via the associateFileName parameter; monitor for new .php file creation in the Apache web root on VIAware hosts.
  • Post-exploitation RCE is achieved via 'sudo rpm --eval' Lua code execution; monitor for rpm processes spawned by the web server user (e.g., www-data) with '--eval' arguments.
  • Privilege escalation abuses misconfigured sudoers allowing dangerous commands including unzip, systemctl, and dpkg; audit sudoers for these entries on VIAware appliances.
  • FOFA fingerprint icon_hash="1521468900" can be used to identify internet-exposed Kramer VIAware instances for proactive scanning.
  • Nuclei detection canary: POST PHP payload <?php echo md5("CVE-2021-35064"); ?> to writeBrowseFilePathAjax.php and check response body for MD5 value 44f63b292601ec4ab0d8c3244c9f5ebe.
  • The ET OPEN Snort rule (sid:2036738) fires on POST to the exact 38-byte URI /ajaxPages/writeBrowseFilePathAjax.php with both exploit body parameters present; deploy on perimeter and internal sensors.
  • ·The exploit uses HTTPS with certificate verification disabled (verify=False); TLS inspection is required on network sensors to detect this traffic in encrypted environments.
  • ·The Nuclei template uses a randomised filename ({{randstr}}.php) for the dropped webshell, so static filename-based detection of 'test.php' alone will miss automated scanner activity.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.