CVE-2021-27964 – CVE-2021-27964 allows unauthenticated attackers... (How to Fix)

Q: What is the severity of CVE-2021-27964?

CVE-2021-27964 has a CVSS score of 9.8 (CRITICAL). CVE-2021-27964 allows unauthenticated attackers to upload arbitrary files to SonLogger web servers via a specific endpoint. This can lead to remote code execution by uploading malicious files like web shells. All SonLogger installations before version 6.4.1 are affected.

📋 TL;DR

CVE-2021-27964 allows unauthenticated attackers to upload arbitrary files to SonLogger web servers via a specific endpoint. This can lead to remote code execution by uploading malicious files like web shells. All SonLogger installations before version 6.4.1 are affected.

💻 Affected Systems

Products:

SonLogger

Versions: All versions before 6.4.1

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all default installations; no special configuration required for exploitation.

📦 What is this software?

Sonlogger by Sfcyazilim

View all CVEs affecting Sonlogger →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through remote code execution, data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Web shell upload leading to server control, data exfiltration, and potential ransomware deployment.

🟢

If Mitigated

Attack blocked at network perimeter or detected before exploitation; no impact.

🌐 Internet-Facing: HIGH - Unauthenticated exploit with public PoC makes internet-facing instances immediate targets.

🏢 Internal Only: HIGH - Internal instances remain vulnerable to insider threats or compromised internal hosts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP POST request with file upload to vulnerable endpoint; multiple public exploit scripts available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.1

Vendor Advisory: https://www.sonlogger.com/releasenotes

Restart Required: Yes

Instructions:

1. Download SonLogger 6.4.1 or later from official vendor site. 2. Backup configuration and data. 3. Stop SonLogger service. 4. Install updated version. 5. Restart service. 6. Verify functionality.

🔧 Temporary Workarounds

Block Vulnerable Endpoint

all

Use web application firewall or reverse proxy to block POST requests to /Config/SaveUploadedHotspotLogoFile

# Example nginx location block
location /Config/SaveUploadedHotspotLogoFile { deny all; }
# Example Apache
<Location "/Config/SaveUploadedHotspotLogoFile">
    Require all denied
</Location>

Network Segmentation

all

Restrict access to SonLogger management interface to trusted IPs only

# Example iptables rule
iptables -A INPUT -p tcp --dport [SonLogger_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [SonLogger_PORT] -j DROP
# Windows Firewall
New-NetFirewallRule -DisplayName "Block SonLogger External" -Direction Inbound -Protocol TCP -LocalPort [SonLogger_PORT] -RemoteAddress "NotLocalSubnet" -Action Block

🧯 If You Can't Patch

Implement strict network access controls to limit SonLogger exposure to only necessary users/systems.
Deploy web application firewall with file upload filtering and malicious content detection.

🔍 How to Verify

Check if Vulnerable:

Check SonLogger version via web interface or configuration files; versions below 6.4.1 are vulnerable. Test by attempting POST request to /Config/SaveUploadedHotspotLogoFile with a test file.

Check Version:

# Windows: Check installed programs or SonLogger configuration files
# Linux: Check package manager or installation directory version files

Verify Fix Applied:

Verify version is 6.4.1 or higher. Attempt exploitation via POST request to vulnerable endpoint; should receive authentication error or 404.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /Config/SaveUploadedHotspotLogoFile
File uploads with unusual extensions (.php, .asp, .jsp) to SonLogger directories
Unauthenticated requests followed by command execution patterns

Network Indicators:

Unusual outbound connections from SonLogger server
POST requests to vulnerable endpoint from unexpected sources
File uploads exceeding normal size patterns

SIEM Query:

source="sonlogger.log" AND (url="/Config/SaveUploadedHotspotLogoFile" OR (method="POST" AND file_extension IN ("php", "asp", "jsp", "ashx")))

📊 Metadata

CVE ID: CVE-2021-27964

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: March 5, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/161793/SonLogger-4.2.3.3-Shell-Upload.html Exploit,Third Party Advisory,VDB Entry
https://github.com/erberkan/SonLogger-vulns Exploit,Third Party Advisory
https://www.sonlogger.com/releasenotes Release Notes,Vendor Advisory
http://packetstormsecurity.com/files/161793/SonLogger-4.2.3.3-Shell-Upload.html Exploit,Third Party Advisory,VDB Entry
https://github.com/erberkan/SonLogger-vulns Exploit,Third Party Advisory
https://www.sonlogger.com/releasenotes Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27964, you might also want to check these: