CVE-2021-20837

Vulnerability

Movable Type XMLRPC API (mt-xmlrpc.cgi) contains an OS command injection vulnerability (CWE-78). The flaw affects Movable Type 7 r.5004 and earlier [3], Movable Type 6.8.4 and earlier [3], Movable Type Advanced 7 r.5004 and earlier [3], Movable Type Advanced 6.8.4 and earlier [3], Movable Type Premium 1.48 and earlier [3], Movable Type Premium Advanced 1.48 and earlier [3], and all versions of Movable Type 4.0 or later including unsupported (EOL) versions [3]. The issue occurs when a specially crafted POST request is sent to the XMLRPC API endpoint [3].

Exploitation

An attacker can send a malicious message via the POST method to the Movable Type XMLRPC API to trigger arbitrary OS command execution [3]. No authentication is required if the endpoint is accessible on the Internet [4]. A proof-of-concept (PoC) code has been made public and attacks exploiting this vulnerability have been observed in the wild [3].

Impact

Successful exploitation allows a remote attacker to execute arbitrary OS commands on the server that hosts the vulnerable Movable Type installation [3]. This can lead to full system compromise, including data theft, malware installation, or further network attacks. The impact is critical due to the lack of required privileges and the widespread presence of the vulnerable endpoint.

Mitigation

Six Apart released fixed versions: Movable Type 7 r.5003 (v7.8.2), Movable Type 6.8.3, and corresponding Advanced and AMI versions [4]. Users are strongly recommended to upgrade immediately [4]. For those who cannot upgrade, workarounds include removing execution permissions on mt-xmlrpc.cgi, deleting the file, restricting Internet access to the script, or using the PSGI environment setting RestrictedPSGIApp xmlrpc in mt-config.cgi (version 6.2 and later) or XMLRPCScript with a long random string (version 6.1 and earlier) [4]. This vulnerability is actively exploited and should be prioritized for patching [3].