CVE-2021-28132
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload malicious PHP files through LUCY Security Awareness Software's Migration Tool, leading to remote code execution. Any organization using affected LUCY versions with internet-facing instances is at risk of complete system compromise.
💻 Affected Systems
- LUCY Security Awareness Software
📦 What is this software?
Security Awareness by Lucysecurity
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with administrative privileges, data exfiltration, ransomware deployment, and lateral movement across the network.
Likely Case
Webshell installation leading to persistent backdoor access, credential theft, and data manipulation.
If Mitigated
Limited impact if proper network segmentation and file upload restrictions are in place.
🎯 Exploit Status
Simple file upload vulnerability with publicly available exploit details. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 4.7.x
Vendor Advisory: https://abuyv.com/cve/lucy-file-upload-RCE
Restart Required: Yes
Instructions:
1. Upgrade LUCY Security Awareness Software to version 4.8 or later. 2. Restart the LUCY service. 3. Verify the Migration Tool no longer accepts .php files in system.tar.gz archives.
🔧 Temporary Workarounds
Disable Migration Tool
allTemporarily disable the Migration Tool in the Support section to prevent file uploads.
Navigate to Support > Migration Tool > Disable
Block public/system/static URI
allUse web server configuration to block access to the vulnerable path.
# Apache: <Location "/public/system/static"> Require all denied </Location>
# Nginx: location /public/system/static { deny all; }
🧯 If You Can't Patch
- Implement strict network segmentation to isolate LUCY instances from critical systems.
- Deploy web application firewall (WAF) rules to block file uploads containing PHP code and requests to /public/system/static/*.
🔍 How to Verify
Check if Vulnerable:
Check if LUCY version is 4.7.x or earlier and if the Migration Tool accepts .php files within system.tar.gz archives.Check Version:
Check LUCY web interface admin panel or configuration files for version information.Verify Fix Applied:
Verify LUCY version is 4.8 or later and test that uploading .php files in system.tar.gz archives is rejected.📡 Detection & Monitoring
Log Indicators:
- File upload attempts to Migration Tool endpoint
- Access to /public/system/static/*.php files
- Unusual PHP process execution from web server user
Network Indicators:
- POST requests to Migration Tool with tar.gz files
- GET requests to /public/system/static/*.php
SIEM Query:
source="web_logs" AND (uri="/support/migration" OR uri="/public/system/static/*.php")