CVE-2021-21307

HIGH EXPLOITED NUCLEI

Lucee Server <5.3.7.47-5.3.6.68-5.3.5.96 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-21307 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including rootxharsh, iamnoooob, wvu, including a Metasploit module exploits/linux/http/lucee_admin_imgprocess_file_write. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a detailed technical writeup on exploiting Lucee misconfigurations in Apple's infrastructure, including path traversal and RCE via CFM files. It discusses WAF bypass techniques and specific vulnerabilities in Lucee's admin panel.

Description

Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.

Exploits (3)

vulncheck_xdb WRITEUP
remote
https://github.com/httpvoid/writeups

This repository contains a detailed technical writeup on exploiting Lucee misconfigurations in Apple's infrastructure, including path traversal and RCE via CFM files. It discusses WAF bypass techniques and specific vulnerabilities in Lucee's admin panel.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Lucee (ColdFusion-based CMS)
No auth needed
Prerequisites: Access to Lucee admin panel endpoints · Understanding of CFM file execution · WAF bypass techniques
devstral-2 · analyzed Feb 25, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/httpvoid/CVE-Reverse

The repository contains functional exploit code for CVE-2021-21307, an unauthenticated remote code execution vulnerability in Lucee Admin. The exploit leverages a file upload mechanism to deploy a malicious payload and achieve RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Lucee Admin before versions 5.3.7.47, 5.3.6.68, or 5.3.5.96
No auth needed
Prerequisites: Access to the Lucee Admin interface · Ability to upload files
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by rootxharsh, iamnoooob, wvu · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/lucee_admin_imgprocess_file_write.rb

This Metasploit module exploits an arbitrary file write vulnerability in Lucee Administrator's imgProcess.cfm to achieve remote code execution as the Tomcat user. It writes a CFML stub to execute commands via a POST request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Lucee Administrator (CVE-2021-21307)
No auth needed
Prerequisites: Network access to the Lucee Administrator interface · Lucee Administrator imgProcess.cfm endpoint accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Lucee Admin - Remote Code Execution
CRITICALby dhiyaneshDk

References (7)

Core 7
Core References

Scores

CVSS v3 8.6
EPSS 0.9222
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Details

VulnCheck KEV 2023-11-29
CWE
CWE-862
Status published
Products (1)
lucee/lucee_server 5.3.5.00 - 5.3.5.96
Published Feb 11, 2021
Tracked Since Feb 18, 2026