CVE-2021-27236
📋 TL;DR
This vulnerability in Mutare Voice (EVM) allows unauthenticated attackers to include local files via getfile.asp, which can be escalated to remote code execution. It affects Mutare Voice 3.x versions before 3.3.8. Organizations running vulnerable versions are at risk of complete system compromise.
💻 Affected Systems
- Mutare Voice (EVM)
📦 What is this software?
Voice by Mutare
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining administrative privileges, data exfiltration, ransomware deployment, and persistent backdoor installation.
Likely Case
Unauthenticated remote code execution leading to web server compromise, data theft, and lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation and web application firewalls are in place, though the vulnerability remains exploitable.
🎯 Exploit Status
Local file inclusion vulnerabilities are commonly weaponized for RCE through techniques like log poisoning or file upload abuse.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.8 or later
Vendor Advisory: https://www.mutare.com/security-adv-mutare-2021-001-mutare-voice/
Restart Required: Yes
Instructions:
1. Download Mutare Voice version 3.3.8 or later from the vendor. 2. Backup current configuration and data. 3. Install the updated version following vendor instructions. 4. Restart the Mutare Voice service.
🔧 Temporary Workarounds
Block getfile.asp Access
allRestrict access to the vulnerable getfile.asp endpoint using web server configuration or firewall rules.
# For IIS: Use URL Rewrite to block /getfile.asp
# For Apache: Use mod_rewrite to deny access to getfile.asp
Network Segmentation
allIsolate Mutare Voice servers from internet access and restrict internal network access.
# Configure firewall rules to limit inbound connections to Mutare Voice
🧯 If You Can't Patch
- Implement strict network access controls to limit which systems can reach the Mutare Voice server
- Deploy a web application firewall (WAF) with rules to detect and block LFI exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check the Mutare Voice version in the administration interface or by examining installed files. Versions 3.x before 3.3.8 are vulnerable.Check Version:
Check the Mutare Voice web interface or installation directory for version informationVerify Fix Applied:
Verify the version is 3.3.8 or later in the administration interface and test that getfile.asp no longer accepts malicious file inclusion parameters.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to getfile.asp with suspicious parameters
- Multiple failed attempts followed by successful file inclusion
- Web server logs showing access to system files
Network Indicators:
- HTTP requests to getfile.asp with directory traversal patterns (../)
- Unusual outbound connections from Mutare Voice server
SIEM Query:
source="mutare_voice_logs" AND uri="*getfile.asp*" AND (param="*../*" OR param="*..\\*")