CVE-2021-43430 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2021-43430?

CVE-2021-43430 has a CVSS score of 8.8 (HIGH). This vulnerability allows unauthenticated attackers to upload malicious PHP files to BigAnt Office Messenger servers via the im_webserver component. Attackers can achieve remote code execution by uploading webshells or trojans. Organizations using BigAntSoft BigAnt Office Messenger 5.6 are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to upload malicious PHP files to BigAnt Office Messenger servers via the im_webserver component. Attackers can achieve remote code execution by uploading webshells or trojans. Organizations using BigAntSoft BigAnt Office Messenger 5.6 are affected.

💻 Affected Systems

Products:

BigAntSoft BigAnt Office Messenger

Versions: 5.6

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability specifically affects the im_webserver component. All installations with this component enabled are vulnerable.

📦 What is this software?

Bigant Office Messenger 5 by Bigantsoft

View all CVEs affecting Bigant Office Messenger 5 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the server, data exfiltration, ransomware deployment, and lateral movement to other systems.

🟠

Likely Case

Attackers upload webshells to establish persistent access, steal sensitive data, and use the compromised server for further attacks.

🟢

If Mitigated

Attack prevented through proper file upload validation, web application firewalls, and network segmentation limiting the impact to isolated segments.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable via the web interface, making internet-facing instances immediately vulnerable to widespread scanning and exploitation.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to insider threats or attackers who have gained initial network access through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The GitHub references contain technical details and likely exploit code. The low complexity and unauthenticated nature make this easily weaponizable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch is documented. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Disable im_webserver component

all

Disable the vulnerable im_webserver component if not required for functionality.

Check BigAnt documentation for disabling specific components

Implement file upload restrictions

all

Configure web server to block PHP file uploads through the im_webserver endpoint.

Configure .htaccess or web server rules to deny *.php uploads

🧯 If You Can't Patch

Implement strict network segmentation to isolate BigAnt servers from critical systems
Deploy a web application firewall (WAF) with rules to block PHP file uploads to vulnerable endpoints

🔍 How to Verify

Check if Vulnerable:

Check if BigAnt Office Messenger version is 5.6 and im_webserver component is enabled. Attempt to upload a test PHP file to the im_webserver endpoint.

Check Version:

Check BigAnt administration panel or configuration files for version information

Verify Fix Applied:

Verify that PHP file uploads to im_webserver endpoints are blocked or that the component is disabled.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to im_webserver endpoints
PHP file execution from unexpected locations
Webshell-like activity in access logs

Network Indicators:

HTTP POST requests to im_webserver with PHP file uploads
Unusual outbound connections from BigAnt server

SIEM Query:

source="bigant_logs" AND (url="*im_webserver*" AND method="POST" AND file_extension="php")

📊 Metadata

CVE ID: CVE-2021-43430

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: April 7, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/Flash1201/bug/blob/main/bigant Exploit,Third Party Advisory
https://github.com/Flash1201/bug/blob/main/bigant Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43430, you might also want to check these: