Login Sign Up

CVE-2021-20837

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-20837 is a critical remote command injection vulnerability in Movable Type's XMLRPC API that allows unauthenticated attackers to execute arbitrary operating system commands on affected servers. This affects all versions of Movable Type 4.0 and later, including unsupported end-of-life versions. The vulnerability has a CVSS score of 9.8, indicating critical severity.

💻 Affected Systems

Products:
  • Movable Type 7 Series
  • Movable Type 6 Series
  • Movable Type Advanced 7 Series
  • Movable Type Advanced 6 Series
  • Movable Type Premium
  • Movable Type Premium Advanced
Versions: Movable Type 7 r.5002 and earlier, Movable Type 6.8.2 and earlier, Movable Type Advanced 7 r.5002 and earlier, Movable Type Advanced 6.8.2 and earlier, Movable Type Premium 1.46 and earlier, Movable Type Premium Advanced 1.46 and earlier, plus all versions 4.0+ including EOL versions
Operating Systems: All operating systems running affected Movable Type versions
Default Config Vulnerable: ⚠️ Yes
Notes: All versions from 4.0 onward are affected, including unsupported end-of-life versions. The vulnerability exists in the XMLRPC API component.

📦 What is this software?

Movable Type by Sixapart

View all CVEs affecting Movable Type →

Movable Type by Sixapart

View all CVEs affecting Movable Type →

Movable Type by Sixapart

View all CVEs affecting Movable Type →

Movable Type by Sixapart

View all CVEs affecting Movable Type →

Movable Type by Sixapart

View all CVEs affecting Movable Type →

Movable Type by Sixapart

View all CVEs affecting Movable Type →

Movable Type by Sixapart

View all CVEs affecting Movable Type →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands with the web server's privileges, potentially leading to data theft, ransomware deployment, or creation of persistent backdoors.

🟠

Likely Case

Remote code execution leading to website defacement, data exfiltration, or use of the server as part of a botnet.

🟢

If Mitigated

Limited impact if proper network segmentation, web application firewalls, and least-privilege configurations are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploit proofs-of-concept exist, and the vulnerability is actively exploited in the wild. Attack requires network access to the XMLRPC endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Movable Type 7.8.2, Movable Type 6.8.3, and corresponding versions for Advanced/Premium editions

Vendor Advisory: https://movabletype.org/news/2021/10/mt-782-683-released.html

Restart Required: Yes

Instructions:

1. Backup your Movable Type installation and database. 2. Download the patched version from the official Movable Type website. 3. Replace the affected files with the patched version. 4. Restart the web server. 5. Verify the patch is applied by checking the version.

🔧 Temporary Workarounds

Disable XMLRPC API

all

Temporarily disable the vulnerable XMLRPC API endpoint if immediate patching is not possible.

# Edit your web server configuration to block access to XMLRPC
# For Apache: Add to .htaccess: <Files "xmlrpc.cgi"> Order deny,allow Deny from all </Files>
# For Nginx: Add to server block: location ~* /xmlrpc\.cgi$ { deny all; }

Network Access Control

linux

Restrict access to the XMLRPC endpoint using firewall rules.

# Example iptables rule to block external access to XMLRPC
iptables -A INPUT -p tcp --dport 80 -m string --string "POST /xmlrpc.cgi" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "POST /xmlrpc.cgi" --algo bm -j DROP

🧯 If You Can't Patch

  • Implement a web application firewall (WAF) with rules to block XMLRPC command injection attempts.
  • Isolate the Movable Type server in a segmented network zone with strict egress filtering.

🔍 How to Verify

Check if Vulnerable:

Check if your Movable Type version is within the affected range by examining the version number in the admin interface or checking the mt-config.cgi file.

Check Version:

Check the Movable Type admin dashboard or examine the mt-config.cgi file for version information.

Verify Fix Applied:

Verify the version has been updated to 7.8.2 or 6.8.3 (or corresponding patched versions for Advanced/Premium) in the admin dashboard.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /xmlrpc.cgi with suspicious parameters
  • Commands like 'system', 'exec', 'shell_exec' in web server logs
  • Unexpected process execution from the web server user

Network Indicators:

  • Unusual outbound connections from the web server to external IPs
  • Spike in traffic to the XMLRPC endpoint

SIEM Query:

source="web_server_logs" AND (uri_path="/xmlrpc.cgi" AND (method="POST" AND (param="*system*" OR param="*exec*" OR param="*shell*")))

📊 Metadata

CVE ID: CVE-2021-20837
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: October 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20837, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)