vulnerability
NetMotion Mobility: Unauthenticated Java Deserialization (CVE-2021-26914)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Feb 8, 2021 | May 24, 2021 | Jan 12, 2023 |
Severity
9
CVSS
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
Published
Feb 8, 2021
Added
May 24, 2021
Modified
Jan 12, 2023
Description
NetMotion Mobility before 11.73 and 12.x before 12.02 allows
unauthenticated remote attackers to execute arbitrary code as SYSTEM
because of Java deserialization in MvcUtil valueStringToObject.
Solution
http-netmotion-mobility-cve-2021-26914
References
- CVE-2021-26914
- https://attackerkb.com/topics/CVE-2021-26914
- https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/
- https://www.netmotionsoftware.com/security-advisories/security-vulnerability-in-mobility-web-server-november-19-2020
- https://srcincite.io/advisories/src-2021-0007/
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.