CVE-2021-21425

Exploitation Summary

EIP tracks 7 public exploits for CVE-2021-21425. PoCs published by Mehmet Ince, CsEnox, bluetoothStrawberry, including Metasploit module exploits/linux/http/gravcms_exec.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated arbitrary YAML write vulnerability in GravCMS Admin Plugin (CVE-2021-21425) to achieve remote code execution by manipulating the scheduler configuration to execute a PHP payload.

Description

Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes, such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability, an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command under the context of the web-server user. This vulnerability is fixed in version 1.10.8. Blocking access to the `/admin` path from untrusted sources can be applied as a workaround.

Exploits (7)

exploitdb WORKING POC VERIFIED

by Mehmet Ince · rubywebappsphp

https://www.exploit-db.com/exploits/49788

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated arbitrary YAML write vulnerability in GravCMS Admin Plugin (CVE-2021-21425) to achieve remote code execution by manipulating the scheduler configuration to execute a PHP payload.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GravCMS Admin Plugin <= 1.10.7

No auth needed

Prerequisites: Target must have GravCMS Admin Plugin <= 1.10.7 installed · PHP must be available on the target system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 11 stars

by CsEnox · poc

https://github.com/CsEnox/CVE-2021-21425

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-21425, which targets GravCMS. The exploit leverages unauthenticated arbitrary YAML write/update to achieve remote code execution by scheduling a task to create and execute a shell script.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GravCMS Admin 1.7.10

No auth needed

Prerequisites: Target URL with vulnerable GravCMS instance

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by bluetoothStrawberry · poc

https://github.com/bluetoothStrawberry/cve-2021-21425

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-21425, targeting GravCMS 1.10.7. The exploit leverages an unauthenticated arbitrary YAML write vulnerability to schedule a malicious cron job, resulting in remote code execution (RCE) via a PHP web shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GravCMS 1.10.7

No auth needed

Prerequisites: Target must be running GravCMS 1.10.7 · Target must have the admin panel accessible · Target must allow writes to the /tmp directory

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059.004 - Unix Shell

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by d4ytox · poc

https://github.com/d4ytox/CVE-2021-21425

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-21425, an unauthenticated RCE vulnerability in GravCMS <= 1.10.7. The exploit abuses the scheduler configuration to create a malicious cron job that executes arbitrary PHP code, resulting in remote command execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GravCMS <= 1.10.7

No auth needed

Prerequisites: Access to the GravCMS admin panel endpoint · Network connectivity to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 13, 2026 Full analysis →

nomisec WORKING POC

by TeddyEngel · poc

https://github.com/TeddyEngel/CVE-2021-21425

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-21425, an unauthenticated RCE vulnerability in GravCMS <= 1.10.7. The exploit abuses the scheduler configuration to create a malicious cron job that executes arbitrary PHP code.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GravCMS <= 1.10.7

No auth needed

Prerequisites: Access to the GravCMS admin panel endpoint · Python 3 with requests library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 19, 2026 Full analysis →

nomisec WORKING POC

by afifudinmtop · poc

https://github.com/afifudinmtop/CVE-2021-21425

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-21425, targeting GravCMS 1.10.7. The exploit leverages an unauthenticated arbitrary YAML write/update vulnerability to achieve remote code execution (RCE) by scheduling a malicious PHP command via the admin tools.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GravCMS 1.10.7

No auth needed

Prerequisites: Target must be running GravCMS 1.10.7 · Network access to the target's admin interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

metasploit WORKING POC NORMAL

by Mehmet Ince <[email protected]> · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/gravcms_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated arbitrary YAML write vulnerability in GravCMS Admin Plugin (CVE-2021-21425) to achieve remote code execution by manipulating the scheduler configuration to execute a PHP payload.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GravCMS Admin Plugin <= 1.10.7

No auth needed

Prerequisites: Target must have GravCMS Admin Plugin installed and vulnerable · PHP must be available on the target system

MITRE ATT&CK