Login Sign Up

CVE-2021-33224

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows unauthenticated attackers to upload malicious web.config and ASP files through Umbraco Forms, leading to arbitrary code execution on the server. It affects Umbraco Forms version 8.7.0 installations, potentially compromising any website using this vulnerable version.

💻 Affected Systems

Products:
  • Umbraco Forms
Versions: 8.7.0
Operating Systems: Windows (due to ASP file requirement)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows servers running ASP.NET. Requires Umbraco Forms to be installed and accessible.

📦 What is this software?

Umbraco Forms by Umbraco

View all CVEs affecting Umbraco Forms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover with full administrative access, data theft, and potential lateral movement within the network.

🟠

Likely Case

Remote code execution leading to website defacement, data exfiltration, or deployment of malware/backdoors.

🟢

If Mitigated

No impact if patched or proper file upload restrictions are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code targeting the file upload functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.7.1 or later

Vendor Advisory: https://our.umbraco.com/packages/developer-tools/umbraco-forms

Restart Required: Yes

Instructions:

1. Backup your Umbraco installation. 2. Update Umbraco Forms to version 8.7.1 or later via NuGet package manager. 3. Restart the application pool/IIS. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict File Upload Types

windows

Configure IIS/web.config to block uploads of .config and .asp files

Add to web.config: <security><requestFiltering><fileExtensions><add fileExtension=".config" allowed="false" /><add fileExtension=".asp" allowed="false" /></fileExtensions></requestFiltering></security>

Disable Umbraco Forms Upload

all

Temporarily disable file upload functionality in Umbraco Forms

Modify Umbraco Forms configuration to remove file upload field types

🧯 If You Can't Patch

  • Implement strict file upload validation at the application level
  • Deploy a WAF with rules to block malicious file uploads

🔍 How to Verify

Check if Vulnerable:

Check Umbraco Forms version in Umbraco backoffice or via package.config file

Check Version:

Check packages.config for: <package id="Umbraco.Forms.Core" version="8.7.1" />

Verify Fix Applied:

Confirm Umbraco.Forms.Core package version is 8.7.1+ in packages.config

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to /umbraco/forms/ endpoints
  • web.config or .asp file upload attempts
  • 401/403 errors followed by successful uploads

Network Indicators:

  • POST requests with file uploads to Umbraco Forms endpoints
  • Unusual outbound connections after file uploads

SIEM Query:

source="iis" AND (uri_path="/umbraco/forms/*" AND method="POST" AND (file_extension=".config" OR file_extension=".asp"))

📊 Metadata

CVE ID: CVE-2021-33224
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: February 24, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33224, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)