CVE-2021-26753 – CVE-2021-26753 is an authenticated remote code ... (How to Fix)

Q: What is the severity of CVE-2021-26753?

CVE-2021-26753 has a CVSS score of 9.9 (CRITICAL). CVE-2021-26753 is an authenticated remote code execution vulnerability in NeDi network management software. An authenticated attacker can inject PHP code via the System-Files.php endpoint, potentially gaining full control of the NeDi server and access to all application data. This affects NeDi 1.9C installations with authenticated user access.

📋 TL;DR

CVE-2021-26753 is an authenticated remote code execution vulnerability in NeDi network management software. An authenticated attacker can inject PHP code via the System-Files.php endpoint, potentially gaining full control of the NeDi server and access to all application data. This affects NeDi 1.9C installations with authenticated user access.

💻 Affected Systems

Products:

NeDi

Versions: 1.9C

Operating Systems: Any OS running NeDi (typically Linux)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access; default installations with user accounts are vulnerable.

📦 What is this software?

Nedi by Nedi

View all CVEs affecting Nedi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the NeDi server, lateral movement to other systems, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Attacker gains shell access to the NeDi server, accesses network monitoring data, and potentially compromises credentials stored in the application.

🟢

If Mitigated

Limited impact due to network segmentation, minimal user privileges, and proper input validation preventing code execution.

🌐 Internet-Facing: HIGH if NeDi is exposed to the internet with authenticated users, as exploitation requires only valid credentials.

🏢 Internal Only: HIGH as authenticated internal users or compromised credentials can lead to server takeover and lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation is straightforward with authenticated access; public proof-of-concept demonstrates PHP code injection via POST parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9D or later

Vendor Advisory: https://www.nedi.ch/

Restart Required: No

Instructions:

1. Backup NeDi configuration and data. 2. Download and install NeDi 1.9D or newer from the official website. 3. Verify the update by checking the version in the web interface.

🔧 Temporary Workarounds

Input Validation Filter

linux

Add input validation to filter PHP code in the txt parameter of System-Files.php

Modify /path/to/nedi/System-Files.php to sanitize $_POST['txt'] input

Access Restriction

all

Restrict access to System-Files.php to admin users only via web server configuration

Add location block in nginx/apache to limit access to trusted IPs or require additional authentication

🧯 If You Can't Patch

Implement strict network segmentation to isolate NeDi server from critical systems
Enforce least privilege for NeDi user accounts and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check NeDi version via web interface or by examining installation files; version 1.9C is vulnerable.

Check Version:

grep -i version /path/to/nedi/inc/lib.php or check web interface footer

Verify Fix Applied:

Verify version is 1.9D or newer and test that PHP code injection via txt parameter is blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to System-Files.php with PHP code in parameters
Unexpected file creations or system commands in NeDi logs

Network Indicators:

HTTP traffic to System-Files.php with suspicious payloads in POST data

SIEM Query:

source="nedi.log" AND "System-Files.php" AND ("eval(" OR "system(" OR "shell_exec(")

📊 Metadata

CVE ID: CVE-2021-26753

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-863

Published: February 12, 2021

Last Updated: November 21, 2024

🔗 References

https://n4nj0.github.io/advisories/nedi-multiple-vulnerabilities-i/ Exploit,Third Party Advisory
https://n4nj0.github.io/advisories/nedi-multiple-vulnerabilities-i/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26753, you might also want to check these: