CVE-2021-36800
📋 TL;DR
CVE-2021-36800 is a code injection vulnerability in Akaunting accounting software that allows remote attackers to execute arbitrary PHP code by sending specially crafted POST requests to invoice endpoints. This affects all Akaunting installations running version 2.1.12 or earlier. Attackers can achieve remote code execution with significant impact on affected systems.
💻 Affected Systems
- Akaunting
📦 What is this software?
Akaunting by Akaunting
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal sensitive financial data, install backdoors, pivot to other systems, and potentially destroy or encrypt data.
Likely Case
Remote code execution leading to data theft, installation of cryptocurrency miners or ransomware, and unauthorized access to financial records and customer data.
If Mitigated
Limited impact with proper network segmentation, WAF filtering, and minimal user privileges, potentially resulting in isolated compromise of the web application only.
🎯 Exploit Status
Exploitation requires authentication to access the invoice endpoint, but the vulnerability is easily exploitable once authenticated. Public exploit details are available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.13
Vendor Advisory: https://github.com/akaunting/akaunting/releases/tag/2.1.13
Restart Required: No
Instructions:
1. Backup your Akaunting database and files. 2. Download version 2.1.13 or later from the official repository. 3. Replace the existing installation files with the patched version. 4. Clear any application caches. 5. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation to reject any POST parameters containing PHP callable functions or suspicious patterns.
Modify application code to sanitize items[0][price] parameter before processing
WAF Rule Implementation
allDeploy web application firewall rules to block requests containing PHP callable functions in POST parameters.
Add WAF rule: Block if POST parameters contain patterns like 'system(', 'exec(', 'eval(' or similar PHP functions
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Akaunting from other critical systems
- Enable detailed logging and monitoring for suspicious POST requests to invoice endpoints
🔍 How to Verify
Check if Vulnerable:
Check Akaunting version in admin panel or by examining the application files. If version is 2.1.12 or earlier, the system is vulnerable.Check Version:
Check the version in Akaunting admin dashboard or examine the composer.json file in the installation directoryVerify Fix Applied:
Verify the version has been updated to 2.1.13 or later in the admin panel or by checking the application version file.📡 Detection & Monitoring
Log Indicators:
- POST requests to /{company_id}/sales/invoices/{invoice_id} with PHP functions in items[0][price] parameter
- Unusual PHP execution errors or unexpected system commands in web server logs
Network Indicators:
- HTTP POST requests containing PHP callable syntax in parameters
- Unusual outbound connections from the Akaunting server
SIEM Query:
source="web_server_logs" AND (uri_path="/sales/invoices/" AND method="POST" AND (param_value MATCHES "(system|exec|eval|passthru|shell_exec|popen|proc_open)\(" OR param_name="items[0][price]" AND param_value CONTAINS "("))