CVE-2021-39392

moderate-risk
Published 2021-09-15

The management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.

Do I need to act?

~
3.7% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Mylittlebackup

Affected Vendors

Mylittletools

References (4)

Broken Link http://www.mylittlebackup.com/mlb/zip/mlb_1.7.zip
Third Party Advisory https://gist.github.com/omriinbar/65827626e63f15e3e50557e2d9d61281
Broken Link http://www.mylittlebackup.com/mlb/zip/mlb_1.7.zip
Third Party Advisory https://gist.github.com/omriinbar/65827626e63f15e3e50557e2d9d61281
44
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 7/34 · Low
Exposure 5/34 · Minimal