CVE-2021-46386
📋 TL;DR
This CVE describes a critical file upload vulnerability in mingSoft MCMS content management system that allows remote attackers to upload malicious JSPX webshell files. Attackers can execute arbitrary code on affected servers, potentially leading to complete system compromise. All organizations running MCMS versions through 5.2.5 are affected.
💻 Affected Systems
- mingSoft MCMS
📦 What is this software?
Mcms by Mingsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover with administrative access, data exfiltration, ransomware deployment, and lateral movement to other systems in the network.
Likely Case
Webshell installation leading to persistent backdoor access, data theft, and use of compromised server for further attacks.
If Mitigated
Attack blocked at web application firewall level with no file uploads reaching vulnerable endpoint.
🎯 Exploit Status
Simple HTTP POST request with crafted JSPX file to upload endpoint. Public exploit details available in the referenced issues.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.6 or later
Vendor Advisory: https://gitee.com/mingSoft/MCMS/issues/I4R0GW
Restart Required: Yes
Instructions:
1. Backup current installation and database. 2. Download MCMS version 5.2.6 or later from official repository. 3. Replace vulnerable files with patched version. 4. Restart the Java application server. 5. Verify the upload functionality is properly secured.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock requests to the vulnerable upload endpoint at network perimeter.
WAF rule: Block POST requests to */net/mingsoft/basic/action/web/FileAction#upload* containing .jspx files
File Upload Restriction
allConfigure server to reject JSPX file uploads at application level.
Add file extension filter in web.xml or application configuration to block .jspx uploads
🧯 If You Can't Patch
- Implement strict file upload validation allowing only whitelisted file types
- Deploy network segmentation to isolate MCMS instance from critical systems
🔍 How to Verify
Check if Vulnerable:
Check MCMS version in admin panel or by examining application files. Versions 5.2.5 and earlier are vulnerable.Check Version:
Check WEB-INF/classes/application.properties or admin interface for version informationVerify Fix Applied:
Attempt to upload a JSPX file to the upload endpoint - should be rejected with proper validation. Verify version is 5.2.6 or later.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to FileAction#upload endpoint with .jspx files
- Unusual file creation in web application directories
- Java process spawning unexpected child processes
Network Indicators:
- Outbound connections from web server to unknown IPs
- Unusual traffic patterns from MCMS server
SIEM Query:
source="web_server" AND (url="*FileAction#upload*" AND file_extension="jspx")