CVE-2021-20837

critical-risk
Published 2021-10-26

Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability.

Do I need to act?

!
94.2% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
50464
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (5)

Affected Vendors

Sixapart

References (8)

Exploit http://packetstormsecurity.com/files/164705/Movable-Type-7-r.5002-XMLRPC-API-Rem...
Third Party Advisory http://packetstormsecurity.com/files/164818/Movable-Type-7-r.5002-XMLRPC-API-Rem...
Third Party Advisory https://jvn.jp/en/jp/JVN41119755/index.html
Release Notes https://movabletype.org/news/2021/10/mt-782-683-released.html
Exploit http://packetstormsecurity.com/files/164705/Movable-Type-7-r.5002-XMLRPC-API-Rem...
Third Party Advisory http://packetstormsecurity.com/files/164818/Movable-Type-7-r.5002-XMLRPC-API-Rem...
Third Party Advisory https://jvn.jp/en/jp/JVN41119755/index.html
Release Notes https://movabletype.org/news/2021/10/mt-782-683-released.html
71
/ 100
critical-risk
Severity 32/34 · Critical
Exploitability 27/34 · High
Exposure 12/34 · Low