Login Sign Up

CVE-2021-26471

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-26471 is an unauthenticated remote code execution vulnerability in Vembu backup products. Attackers can execute arbitrary shell commands via the /sgwebservice_o.php API endpoint without authentication. This affects VembuBDR and VembuOffsiteDR installations before version 4.2.0.1.

💻 Affected Systems

Products:
  • VembuBDR
  • VembuOffsiteDR
Versions: All versions before 4.2.0.1
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects both on-premise and cloud deployments. The vulnerable endpoint is typically accessible on port 6060 by default.

📦 What is this software?

Bdr Suite by Vembu

View all CVEs affecting Bdr Suite →

Offsite Dr by Vembu

View all CVEs affecting Offsite Dr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, exfiltrate data, pivot to other systems, or deploy ransomware across the network.

🟠

Likely Case

Attackers gain initial foothold, deploy backdoors, steal backup data, and potentially compromise the entire backup infrastructure.

🟢

If Mitigated

Limited impact due to network segmentation, but still exposes the backup server to potential compromise.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet without authentication, making exposed instances immediate targets.
🏢 Internal Only: HIGH - Even internally, any attacker with network access can exploit this without credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP POST request with command injection payload. Multiple public exploit scripts and Metasploit modules exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.0.1

Vendor Advisory: https://help.vembu.com/vembu-bdr-suite/vembu-bdr-suite-4-2-0-1-release-notes/

Restart Required: Yes

Instructions:

1. Download Vembu BDR Suite 4.2.0.1 from Vembu website. 2. Backup current configuration. 3. Run installer and follow upgrade wizard. 4. Restart Vembu services after installation.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict access to Vembu server ports (typically 6060) to trusted IPs only.

iptables -A INPUT -p tcp --dport 6060 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 6060 -j DROP

Web Server Blocking

all

Block access to the vulnerable endpoint at web server level.

<Location /sgwebservice_o.php>
Order deny,allow
Deny from all
</Location>

🧯 If You Can't Patch

  • Immediately isolate the Vembu server from internet access and restrict internal network access
  • Implement strict network segmentation and monitor all traffic to/from the Vembu server

🔍 How to Verify

Check if Vulnerable:

Check if HTTP POST to http://[server]:6060/sgwebservice_o.php with command parameter returns system information or executes commands.

Check Version:

Check Vembu web interface dashboard or run: grep 'Version' /opt/vembu/bdrserver/conf/version.txt (Linux) or check Windows Services for Vembu version

Verify Fix Applied:

Verify version is 4.2.0.1 or later and test that the same exploit attempt fails with proper authentication error.

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to /sgwebservice_o.php with command parameter
  • Unusual process execution from web server user
  • Failed authentication attempts followed by successful command execution

Network Indicators:

  • HTTP POST to port 6060 with command injection patterns in payload
  • Outbound connections from Vembu server to suspicious IPs

SIEM Query:

source="vembu.log" AND "sgwebservice_o.php" AND "command=" OR destination_port=6060 AND http_method=POST AND url_path="/sgwebservice_o.php"

📊 Metadata

CVE ID: CVE-2021-26471
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: June 8, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON