CVE-2021-23758

HIGH

Ajaxpro.2 < 21.10.30.1 - Insecure Deserialization

Title source: rule

Description

All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code execution.

Exploits (2)

nomisec WORKING POC 17 stars

by numanturle · poc

https://github.com/numanturle/CVE-2021-23758-POC

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Hans-Martin Münch (MOGWAI LABS), Jemmy Wang · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/ajaxpro_deserialization_rce.rb

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/175677/AjaxPro-Deserialization-Remote-Code-Execution.html

[Patch, Third Party Advisory] https://github.com/michaelschwarz/Ajax.NET-Professional/commit/b0e63be5f0bb20dfce507cb8a1a9568f6e73de57

[Third Party Advisory] https://snyk.io/vuln/SNYK-DOTNET-AJAXPRO2-1925971

Scores

CVSS v3 8.1

EPSS 0.8778

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502

Status published

Products (2)

ajaxpro.2_project/ajaxpro.2 < 21.10.30.1

nuget/AjaxNetProfessional 0 - 21.11.29.1NuGet

Published Dec 03, 2021

Tracked Since Feb 18, 2026