CVE-2021-30461 – This vulnerability allows unauthenticated remot... (How to Fix)

Q: What is the severity of CVE-2021-30461?

CVE-2021-30461 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated remote attackers to execute arbitrary PHP code on VoIPmonitor systems by injecting malicious code into configuration files through the web UI's recheck feature. It affects all VoIPmonitor installations with versions before 24.61 that have the web UI exposed. Attackers can gain complete control of affected systems.

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to execute arbitrary PHP code on VoIPmonitor systems by injecting malicious code into configuration files through the web UI's recheck feature. It affects all VoIPmonitor installations with versions before 24.61 that have the web UI exposed. Attackers can gain complete control of affected systems.

💻 Affected Systems

Products:

VoIPmonitor

Versions: All versions before 24.61

Operating Systems: Linux (primary deployment platform)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations with web UI enabled. The vulnerability is in the core application and doesn't require special configurations.

📦 What is this software?

Voipmonitor by Voipmonitor

View all CVEs affecting Voipmonitor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal sensitive data, install malware, pivot to internal networks, and maintain persistent access.

🟠

Likely Case

Remote code execution leading to data theft, installation of cryptocurrency miners or ransomware, and creation of backdoors for future access.

🟢

If Mitigated

Limited impact with proper network segmentation, web application firewalls, and strict access controls preventing exploitation attempts.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and affects the web UI which is typically internet-facing for VoIPmonitor deployments.

🏢 Internal Only: MEDIUM - While still serious, internal-only deployments reduce the attack surface from external threats but remain vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code. Attackers can craft HTTP requests to trigger the vulnerability without any authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 24.61 and later

Vendor Advisory: https://www.voipmonitor.org/changelog

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Download VoIPmonitor version 24.61 or later from official sources. 3. Stop VoIPmonitor service. 4. Install the updated version following vendor instructions. 5. Restart VoIPmonitor service. 6. Verify the web UI functions correctly.

🔧 Temporary Workarounds

Disable Web UI Access

linux

Temporarily block access to the VoIPmonitor web interface while awaiting patching

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Web Application Firewall Rules

all

Implement WAF rules to block malicious requests containing PHP code patterns

🧯 If You Can't Patch

Implement strict network access controls to limit VoIPmonitor web UI access to trusted IP addresses only
Deploy a reverse proxy with request filtering to sanitize input before reaching the vulnerable application

🔍 How to Verify

Check if Vulnerable:

Check VoIPmonitor version via web UI dashboard or configuration file. If version is below 24.61, the system is vulnerable.

Check Version:

grep 'version' /usr/local/voipmonitor/config/configuration.php || cat /usr/local/voipmonitor/version.txt

Verify Fix Applied:

Verify version is 24.61 or higher in web UI dashboard and test that the recheck functionality no longer accepts PHP code in SPOOLDIR parameter.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to recheck functionality
HTTP requests containing PHP code patterns in parameters
Unauthenticated access attempts to admin functions

Network Indicators:

HTTP traffic to VoIPmonitor web UI with suspicious parameter values
Outbound connections from VoIPmonitor server to unknown IPs post-exploitation

SIEM Query:

source="voipmonitor" AND (uri_path="/recheck" OR param="SPOOLDIR") AND (content="<?php" OR content="eval(" OR content="system(")

📊 Metadata

CVE ID: CVE-2021-30461

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: May 29, 2021

Last Updated: November 21, 2024

🔗 References

https://ssd-disclosure.com/ssd-advisory--voipmonitor-unauth-rce Exploit,Third Party Advisory
https://ssd-disclosure.com/ssd-advisory--voipmonitor-unauth-rce Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-30461, you might also want to check these: