CVE-2021-26914
HIGHNetmotionsoftware Netmotion Mobility - Insecure Deserialization
Title source: ruleDescription
NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in MvcUtil valueStringToObject.
Exploits (1)
metasploit
WORKING POC
EXCELLENT
by mr_me, wvu · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/netmotion_mobility_mvcutil_deserialization.rb
References (4)
Scores
CVSS v3
8.1
EPSS
0.6444
EPSS Percentile
98.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (1)
netmotionsoftware/netmotion_mobility
< 11.73
Published
Feb 08, 2021
Tracked Since
Feb 18, 2026