CVE-2021-46384 – MCMS versions up to 5.2.5 contain a pre-authent... (How to Fix)

Q: What is the severity of CVE-2021-46384?

CVE-2021-46384 has a CVSS score of 9.8 (CRITICAL). MCMS versions up to 5.2.5 contain a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands on the server. This affects all systems running vulnerable MCMS versions with network access to the application. Successful exploitation can lead to complete system compromise.

📋 TL;DR

MCMS versions up to 5.2.5 contain a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands on the server. This affects all systems running vulnerable MCMS versions with network access to the application. Successful exploitation can lead to complete system compromise.

💻 Affected Systems

Products:

MCMS (MingSoft Content Management System)

Versions: <= 5.2.5

Operating Systems: Any OS running MCMS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Mcms by Mingsoft

View all CVEs affecting Mcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover allowing attacker to install malware, exfiltrate data, pivot to other systems, or deploy ransomware.

🟠

Likely Case

Initial foothold leading to web shell installation, credential theft, and lateral movement within the network.

🟢

If Mitigated

Attack blocked at network perimeter or application firewall; no impact if proper segmentation and access controls are in place.

🌐 Internet-Facing: HIGH - Unauthenticated RCE with public exploit details makes internet-facing systems immediate targets.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to any network-accessible attacker, including compromised internal hosts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit uses FreeMarker template injection with payload: ${'freemarker.template.utility.Execute'?new()('calc')}

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: > 5.2.5

Vendor Advisory: https://gitee.com/mingSoft/MCMS/issues/I4QZ1O

Restart Required: Yes

Instructions:

1. Backup current installation and data. 2. Download latest MCMS version from official repository. 3. Replace vulnerable files with patched version. 4. Restart web application server. 5. Verify functionality.

🔧 Temporary Workarounds

WAF Rule Implementation

all

Block FreeMarker template injection patterns at web application firewall

Add WAF rule to block requests containing: ${'freemarker.template.utility.Execute'?new()
Block patterns: ?new() and Execute in FreeMarker context

Network Access Restriction

linux

Restrict access to MCMS administration interfaces

iptables -A INPUT -p tcp --dport [MCMS_PORT] -s [TRUSTED_IPS] -j ACCEPT
iptables -A INPUT -p tcp --dport [MCMS_PORT] -j DROP

🧯 If You Can't Patch

Isolate MCMS system in separate network segment with strict firewall rules
Implement application-level input validation to filter FreeMarker template expressions

🔍 How to Verify

Check if Vulnerable:

Check MCMS version in admin panel or by examining version files; if version <= 5.2.5, system is vulnerable.

Check Version:

Check /WEB-INF/classes/version.properties or admin interface for version number

Verify Fix Applied:

Confirm version is > 5.2.5 and test with safe payload: ${7*7} should not execute as 49.

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing FreeMarker template injection patterns
Unusual process execution from web server user
Multiple failed exploit attempts

Network Indicators:

HTTP POST requests with FreeMarker payloads to MCMS endpoints
Outbound connections from web server to unknown IPs

SIEM Query:

source='web_logs' AND (uri CONTAINS 'freemarker.template.utility.Execute' OR uri CONTAINS '?new()')

📊 Metadata

CVE ID: CVE-2021-46384

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: March 4, 2022

Last Updated: November 21, 2024

🔗 References

https://gitee.com/mingSoft/MCMS/issues/I4QZ1O Exploit,Issue Tracking,Third Party Advisory
https://gitee.com/mingSoft/MCMS/issues/I4QZ1O Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46384, you might also want to check these: