Vulnerabilities > CVE-2021-26914 - Deserialization of Untrusted Data vulnerability in Netmotionsoftware Netmotion Mobility 12.0

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

netmotionsoftware

CWE-502

critical

NVD

Published: 2021-02-08

Updated: 2021-05-21

Summary

NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in MvcUtil valueStringToObject.

Vulnerable Configurations

Part	Description	Count
Application	Netmotionsoftware Netmotionsoftware Netmotion Mobility * Netmotionsoftware Netmotion Mobility 12.0	2

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://www.netmotionsoftware.com/security-advisories/security-vulnerability-in-mobility-web-server-november-19-2020
https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/
https://ssd-disclosure.com/?p=4676
http://packetstormsecurity.com/files/162617/NetMotion-Mobility-Server-MvcUtil-Java-Deserialization.html