CVE-2021-23758

HIGH

ajaxpro.2 < 21.10.30.1 and AjaxNetProfessional < 21.11.29.1 - Remote Code Execution via Untrusted Data Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-23758. PoCs published by numanturle, Hans-Martin Münch (MOGWAI LABS), Jemmy Wang, including Metasploit module exploits/windows/http/ajaxpro_deserialization_rce.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2021-23758, a deserialization vulnerability in Ajax.NET Professional. The exploit leverages a crafted HTTP POST request with a malicious payload to achieve remote code execution (RCE) via the `System.Windows.Data.ObjectDataProvider` type.

Description

All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code execution.

Exploits (2)

nomisec WORKING POC 17 stars
by numanturle · poc
https://github.com/numanturle/CVE-2021-23758-POC

This repository contains a functional proof-of-concept exploit for CVE-2021-23758, a deserialization vulnerability in Ajax.NET Professional. The exploit leverages a crafted HTTP POST request with a malicious payload to achieve remote code execution (RCE) via the `System.Windows.Data.ObjectDataProvider` type.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Ajax.NET Professional
No auth needed
Prerequisites: Target must be running a vulnerable version of Ajax.NET Professional · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Hans-Martin Münch (MOGWAI LABS), Jemmy Wang · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/ajaxpro_deserialization_rce.rb

This Metasploit module exploits an insecure deserialization vulnerability in AjaxPro to achieve remote code execution. It constructs malicious JSON data that triggers arbitrary command execution via the `ObjectDataProvider` and `Process` classes.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: AjaxPro versions prior to 21.10.30.1
No auth needed
Prerequisites: Target must have a vulnerable AjaxPro endpoint exposed · Target must have a vulnerable method with a parameter of type assignable from `ObjectDataProvider`
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.1
EPSS 0.8778
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (2)
ajaxpro.2_project/ajaxpro.2 < 21.10.30.1
nuget/AjaxNetProfessional 0 - 21.11.29.1NuGet
Published Dec 03, 2021
Tracked Since Feb 18, 2026