cbcvebase.
CVE-2021-43339
published 2021-11-03

CVE-2021-43339: In Ericsson Network Location before 2021-07-31, it is possible for an authenticated attacker to inject commands via file_name in the export functionality. For…

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
9.56%
94.9th percentile
In Ericsson Network Location before 2021-07-31, it is possible for an authenticated attacker to inject commands via file_name in the export functionality. For example, a new admin user could be created.

Affected

1 ranges
VendorProductVersion rangeFixed in
ericssonnetwork_location< 2021-07-312021-07-31

Detection & IOCsextracted from sources · hover to see the quote

port10083
url/api/value/v1/data/clusters
url/api/login/nlg/gmpc/auth/tokens
url/[CLS_ID]/[CLS_NODE_TYPE]/numbering/plmns/export?file_name=/export/home/mpcadmin/[FILENAME]
url/[CLS_ID]/[CLS_NODE_TYPE]/smpp/export?file_name=/export/home/mpcadmin/[FILENAME]&host=[HOSTNAME]
url/[CLS_ID]/[CLS_NODE_TYPE]/cells/gsm/cgi_cells/export?file_name=/export/home/mpcadmin/[FILENAME]
url/[CLS_ID]/[CLS_NODE_TYPE]/psap/wireless/specific_routings/export?file_name=/export/home/mpcadmin/[FILENAME]
url/api/value/v1/data/[CLS_ID]/product_info/about
  • Monitor HTTP GET requests to export endpoints containing 'file_name' parameter with pipe-encoded characters (%7C) or shell metacharacters, indicating command injection attempts via the file_name parameter.
  • Detect authentication attempts to the NLG login API endpoint POST /api/login/nlg/gmpc/auth/tokens with JSON body containing 'auth','method','password' fields, followed immediately by export endpoint access — indicative of the exploit's login-then-inject flow.
  • Detect X-Auth-Token header present on GET requests to export paths under /api/value/v1/data/ — the exploit authenticates first and then replays the token on all injection requests.
  • Alert on outbound netcat listener setup (mkfifo + nc -l -p 1544) originating from the MPS server process, indicating successful RCE and bind-shell establishment.
  • There are a total of 20 vulnerable export areas across cells, psap, numbering, and smpp fields; monitor all four path patterns for anomalous file_name values.
  • ·The exploit targets a specific product version; verify the cluster version before applying detections to avoid false positives on other Ericsson NLG deployments.
  • ·The exploit requires an authenticated session (valid USERNAME/PASSWORD); detections should account for the pre-authentication login step before the injection occurs.
  • ·The exploit uses SSL on port 10083 by default; ensure TLS inspection is enabled on the monitoring path or detections will be blind to the injected payloads.
  • ·The exploiting user must have 'gmpc_celldata_admin' role for the cells/gsm/cgi_cells path; privilege level affects which of the 20 vulnerable endpoints are reachable.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.