CVE-2021-47939

Evo · Evolution CMS

Evolution CMS 3.1.6 contains a code injection vulnerability that allows an authenticated attacker to execute arbitrary code during module creation.

Executive summary

An authenticated code injection vulnerability in Evolution CMS 3.1.6 allows attackers to achieve remote code execution.

Vulnerability

This vulnerability (CWE-94) is triggered during the module creation process. It requires the attacker to hold low-level privileges (PR:L), after which they can inject and execute arbitrary code.

Business impact

Successful exploitation provides the attacker with a foothold to execute code on the underlying server, which can lead to total system compromise. With a CVSS score of 8.8, this flaw represents a significant risk to the integrity and security of the hosting environment.

Remediation

Immediate Action: Apply the latest security patches provided by the Evolution CMS project. Ensure that administrative module creation is restricted to authorized, trusted personnel only.

Proactive Monitoring: Review audit logs for unusual module creation activities or modifications to system files that do not align with expected administrative tasks.

Compensating Controls: Apply WAF rules to block malicious payloads within administrative forms and module creation requests.

Exploitation status

Public Exploit Available: Yes — an entry exists on ExploitDB.

Analyst recommendation

Given the potential for complete system compromise, organizations should prioritize updating their Evolution CMS instances to the latest patched version. Restricting administrative access is a vital interim measure to reduce the attack surface.