CVE-2021-26912 – CVE-2021-26912 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2021-26912?

CVE-2021-26912 has a CVSS score of 8.1 (HIGH). CVE-2021-26912 is a critical remote code execution vulnerability in NetMotion Mobility servers that allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges via Java deserialization in SupportRpcServlet. This affects organizations using NetMotion Mobility for VPN/remote access solutions. Attackers can gain complete control over affected servers without any authentication.

📋 TL;DR

CVE-2021-26912 is a critical remote code execution vulnerability in NetMotion Mobility servers that allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges via Java deserialization in SupportRpcServlet. This affects organizations using NetMotion Mobility for VPN/remote access solutions. Attackers can gain complete control over affected servers without any authentication.

💻 Affected Systems

Products:

NetMotion Mobility Server

Versions: All versions before 11.73 and 12.x before 12.02

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web server component of NetMotion Mobility. The vulnerability is in SupportRpcServlet which handles support-related RPC calls.

📦 What is this software?

Netmotion Mobility by Netmotionsoftware

View all CVEs affecting Netmotion Mobility →

Netmotion Mobility by Netmotionsoftware

View all CVEs affecting Netmotion Mobility →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Mobility server with SYSTEM privileges, allowing attackers to pivot to internal networks, steal credentials, deploy ransomware, or establish persistent backdoors.

🟠

Likely Case

Remote code execution leading to server compromise, data exfiltration, and lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward due to public proof-of-concept code and the unauthenticated nature of the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.73 or 12.02 and later

Vendor Advisory: https://www.netmotionsoftware.com/security-advisories/security-vulnerability-in-mobility-web-server-november-19-2020

Restart Required: Yes

Instructions:

1. Download and install NetMotion Mobility version 11.73 or 12.02 from the official vendor portal. 2. Apply the update to all affected Mobility servers. 3. Restart the Mobility server services to complete the installation.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to the Mobility server's web interface (typically port 443) to only trusted IP addresses or internal networks.

Disable SupportRpcServlet

windows

If possible, disable or block access to the vulnerable SupportRpcServlet endpoint.

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to Mobility servers
Deploy web application firewall (WAF) rules to detect and block Java deserialization attacks

🔍 How to Verify

Check if Vulnerable:

Check the NetMotion Mobility server version via the web interface or server console. Versions below 11.73 or 12.x below 12.02 are vulnerable.

Check Version:

Check the Mobility server web interface or use the server management console to view the installed version.

Verify Fix Applied:

Verify the server version is 11.73 or higher (for 11.x) or 12.02 or higher (for 12.x) after applying the patch.

📡 Detection & Monitoring

Log Indicators:

Unusual Java deserialization errors in Mobility server logs
Unexpected process creation with SYSTEM privileges
Access to SupportRpcServlet from untrusted sources

Network Indicators:

HTTP POST requests to /servlet/SupportRpcServlet from external IPs
Unusual outbound connections from Mobility server

SIEM Query:

source="mobility_server" AND (uri="/servlet/SupportRpcServlet" OR message="*deserialization*")

📊 Metadata

CVE ID: CVE-2021-26912

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: February 8, 2021

Last Updated: November 21, 2024

🔗 References

https://ssd-disclosure.com/?p=4676 Exploit,Third Party Advisory
https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/ Exploit,Third Party Advisory
https://www.netmotionsoftware.com/security-advisories/security-vulnerability-in-mobility-web-server-november-19-2020 Vendor Advisory
https://ssd-disclosure.com/?p=4676 Exploit,Third Party Advisory
https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/ Exploit,Third Party Advisory
https://www.netmotionsoftware.com/security-advisories/security-vulnerability-in-mobility-web-server-november-19-2020 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26912, you might also want to check these: