CVE-2021-20837

Exploitation Summary

CVE-2021-20837 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 6 public exploits from researchers including Charl-Alexandre Le Brun, orangmuda, ghost-nemesis. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in Movable Type's XMLRPC API (CVE-2021-20837) by sending a crafted XML payload containing a base64-encoded command. The exploit checks for vulnerability by verifying the presence of a fingerprint in the response and executes the payload if vulnerable.

Description

Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability.

Exploits (6)

exploitdb WORKING POC VERIFIED

by Charl-Alexandre Le Brun · rubywebappscgi

https://www.exploit-db.com/exploits/50464

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in Movable Type's XMLRPC API (CVE-2021-20837) by sending a crafted XML payload containing a base64-encoded command. The exploit checks for vulnerability by verifying the presence of a fingerprint in the response and executes the payload if vulnerable.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Movable Type (version not specified)

No auth needed

Prerequisites: Network access to the target's XMLRPC endpoint · Movable Type instance with vulnerable XMLRPC API

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 21 stars

by orangmuda · remote

https://github.com/orangmuda/CVE-2021-20837

View Code ZIP pw:eip

This repository contains a functional Metasploit module for CVE-2021-20837, which exploits a remote command injection vulnerability in Movable Type's XMLRPC API. The exploit crafts a malicious XML payload to execute arbitrary commands via the `mt.handler_to_coderef` method.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Movable Type (versions affected by CVE-2021-20837)

No auth needed

Prerequisites: Network access to the target's XMLRPC endpoint · Movable Type with vulnerable XMLRPC API exposed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 18 stars

by ghost-nemesis · remote

https://github.com/ghost-nemesis/cve-2021-20837-poc

View Code ZIP pw:eip

This repository contains a functional Metasploit module for CVE-2021-20837, which exploits a remote command injection vulnerability in Movable Type's XMLRPC API. The exploit crafts a malicious XML payload to execute arbitrary commands via the `mt.handler_to_coderef` method.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Movable Type (versions affected by CVE-2021-20837)

No auth needed

Prerequisites: Network access to the target's XMLRPC endpoint · Movable Type instance with vulnerable XMLRPC API exposed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

gitlab WORKING POC

by thomstack · remote

https://gitlab.com/thomstack/cve-2021-20837

View Code ZIP pw:eip

This repository contains a functional Metasploit module for CVE-2021-20837, which exploits a remote command injection vulnerability in Movable Type's XMLRPC API. The exploit crafts a malicious XML payload to execute arbitrary commands via the `mt.handler_to_coderef` method.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Movable Type (versions affected by CVE-2021-20837)

No auth needed

Prerequisites: Network access to the target's XMLRPC endpoint · Movable Type with vulnerable XMLRPC API exposed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

nomisec WORKING POC

by bb33bb · poc

https://github.com/bb33bb/CVE-2021-20837

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-20837, an unauthenticated RCE vulnerability in MovableType. The exploit leverages the `mt.handler_to_coderef` method in the XML-RPC interface to execute arbitrary OS commands via a base64-encoded payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: MovableType (versions 7 Series ≤ 7.5.2, 6 Series ≤ 6.8.2, Premium ≤ 1.46, Premium Advanced ≤ 1.46)

No auth needed

Prerequisites: Network access to the target's XML-RPC endpoint (`/cgi-bin/mt/mt-xmlrpc.cgi`)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec STUB

by Cosemz · poc

https://github.com/Cosemz/CVE-2021-20837

View Code ZIP pw:eip

The repository contains only a minimal README with a CVE title and no functional exploit code or technical details. It lacks any meaningful content to demonstrate or analyze the vulnerability.

Classification

Stub 90%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: MovableType XMLRPC

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

MovableType - Remote Command Injection

CRITICALby dhiyaneshDK,hackergautam

Shodan: http.title:"サインイン | movable type pro" || cpe:"cpe:2.3:a:sixapart:movable_type"

FOFA: title="サインイン | movable type pro"

References (4)

Core 4

Core References

Release Notes, Vendor Advisory x_refsource_misc

https://movabletype.org/news/2021/10/mt-782-683-released.html

Third Party Advisory x_refsource_misc

https://jvn.jp/en/jp/JVN41119755/index.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/164705/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/164818/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html

Movable Type < 1.46, 4.0-6.3.11, 6.5.0-6.8.2 - Remote Code Execution via XMLRPC API

Exploitation Summary

Description

Exploits (6)

Nuclei Templates (1)

References (4)

Scores

Details