CVE-2021-21425
📋 TL;DR
CVE-2021-21425 is an unauthenticated remote code execution vulnerability in Grav Admin Plugin that allows attackers to execute arbitrary methods without credentials, modify YAML configuration files, and ultimately achieve command execution. This affects all Grav installations using Admin Plugin versions 1.10.7 and earlier. Attackers can hijack administrator accounts, modify website content, or execute operating system commands.
💻 Affected Systems
- Grav Admin Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via remote code execution, allowing attackers to take over the web server, pivot to internal networks, and deploy ransomware or exfiltrate data.
Likely Case
Website defacement, configuration changes, administrator account takeover, and limited command execution leading to data theft or further exploitation.
If Mitigated
Limited impact with proper network segmentation and access controls, potentially only configuration changes if command execution is blocked.
🎯 Exploit Status
Multiple public exploit scripts and detailed write-ups are available. Exploitation requires no authentication and minimal technical skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.10.8
Vendor Advisory: https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-6f53-6qgv-39pj
Restart Required: No
Instructions:
1. Update Grav Admin Plugin to version 1.10.8 or later via Grav Package Manager or manual installation. 2. Verify the update completed successfully. 3. Clear any caches if necessary.
🔧 Temporary Workarounds
Block Admin Path Access
allRestrict access to the /admin path from untrusted networks using web server configuration or firewall rules.
# Apache: <Location /admin> Require all denied </Location>
# Nginx: location /admin { deny all; }
🧯 If You Can't Patch
- Implement strict network access controls to block all external access to the /admin path.
- Deploy a web application firewall (WAF) with rules to detect and block exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check the Admin Plugin version in Grav's plugin management interface or by examining the plugin.json file in the admin plugin directory.Check Version:
grep -r 'version' /path/to/grav/user/plugins/admin/plugin.jsonVerify Fix Applied:
Confirm the Admin Plugin version is 1.10.8 or higher and test that unauthenticated access to admin controller methods is blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /admin paths from unauthenticated users
- YAML file modifications in configuration directories
- Unexpected process execution by the web server user
Network Indicators:
- HTTP requests to /admin endpoints without authentication headers
- Unusual outbound connections from the web server
SIEM Query:
source="web_logs" AND (uri_path="/admin/*" AND http_status=200) AND NOT user_agent="*bot*"🔗 References
- http://packetstormsecurity.com/files/162283/GravCMS-1.10.7-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/162457/GravCMS-1.10.7-Remote-Command-Execution.html
- https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-6f53-6qgv-39pj
- https://pentest.blog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/
- http://packetstormsecurity.com/files/162283/GravCMS-1.10.7-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/162457/GravCMS-1.10.7-Remote-Command-Execution.html
- https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-6f53-6qgv-39pj
- https://pentest.blog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/
