CVE-2021-26912
HIGHNetMotion Mobility <11.73/12.x<12.02 - RCE via Java Deserialization
Title source: llmDescription
NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in SupportRpcServlet.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://ssd-disclosure.com/?p=4676
Vendor Advisory x_refsource_misc
https://www.netmotionsoftware.com/security-advisories/security-vulnerability-in-mobility-web-server-november-19-2020
Exploit, Third Party Advisory x_refsource_misc
https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/
Scores
CVSS v3
8.1
EPSS
0.4104
EPSS Percentile
98.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (1)
netmotionsoftware/netmotion_mobility
< 11.73
Published
Feb 08, 2021
Tracked Since
Feb 18, 2026