Remote Command Injection Vulnerability in Movable Type by Six Apart
CVE-2021-20837

9.8CRITICAL

Key Information:

Vendor: Six Apart Ltd.
Status: Movable Type
Vendor: CVE Published:; 26 October 2021

🔔 Create Six Apart Ltd. Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 94%

What is CVE-2021-20837?

Movable Type versions 7 r.5002 and earlier, 6.8.2 and earlier, as well as the Advanced and Premium series, are susceptible to a remote command injection vulnerability. Attackers can exploit this flaw to execute arbitrary operating system commands through unspecified vectors, which poses significant risks to the integrity and confidentiality of affected systems. Notably, all versions of Movable Type 4.0 or later, including any that have reached End-of-Life status, are compromised, emphasizing the urgency for updates and patches to fortify system defenses.

Affected Version(s)

Movable Type Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-20837
Created by orangmuda

cve-2021-20837-poc
Created by ghost-nemesis

CVE-2021-20837
Created by lamcodeofpwnosec