Login Sign Up

CVE-2021-32094

8.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-32094 allows authenticated users to upload arbitrary files to NSA Emissary workflow application. This could lead to remote code execution or system compromise. Affects organizations using Emissary 5.9.0 for workflow automation.

💻 Affected Systems

Products:
  • NSA Emissary
Versions: 5.9.0
Operating Systems: Any OS running Emissary
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access; default installations are vulnerable.

📦 What is this software?

Emissary by Nsa

View all CVEs affecting Emissary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover via remote code execution, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Unauthorized file upload leading to web shell deployment, data manipulation, or privilege escalation.

🟢

If Mitigated

Limited impact with proper file validation and restricted user permissions.

🌐 Internet-Facing: HIGH - If exposed to internet, attackers could exploit authenticated access to upload malicious files.
🏢 Internal Only: HIGH - Even internally, authenticated users could abuse this to compromise the system.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.10.0 or later

Vendor Advisory: https://github.com/NationalSecurityAgency/emissary/releases

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download Emissary 5.10.0+ from official repository. 3. Stop Emissary service. 4. Install new version. 5. Restart service. 6. Verify functionality.

🔧 Temporary Workarounds

Restrict file upload permissions

all

Implement strict file type validation and limit upload permissions to trusted users only.

Configure application to only allow specific file extensions
Implement user role-based upload restrictions

Network segmentation

all

Isolate Emissary instances from critical systems to limit potential lateral movement.

Configure firewall rules to restrict Emissary network access

🧯 If You Can't Patch

  • Implement strict file upload validation at application layer
  • Monitor for suspicious file uploads and user activity

🔍 How to Verify

Check if Vulnerable:

Check Emissary version; if running 5.9.0, system is vulnerable.

Check Version:

Check Emissary configuration files or admin interface for version information

Verify Fix Applied:

Verify version is 5.10.0 or later and test file upload functionality with restricted file types.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads
  • Large or unexpected file types being uploaded
  • Multiple failed upload attempts

Network Indicators:

  • HTTP POST requests with file uploads to Emissary endpoints
  • Unusual outbound connections from Emissary server

SIEM Query:

source="emissary.log" AND (event="file_upload" AND file_extension NOT IN ("txt","pdf","doc"))

📊 Metadata

CVE ID: CVE-2021-32094
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: May 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32094, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)