CVE-2021-26914

HIGH

NetMotion Mobility < 11.73 and 12.x < 12.02 - Unauthenticated Remote Code Execution via Java Deserialization in MvcUtil

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-26914. PoCs published by mr_me, wvu, including Metasploit module exploits/windows/http/netmotion_mobility_mvcutil_deserialization.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated Java deserialization vulnerability in NetMotion Mobility Server's MvcUtil.valueStringToObject() method via the /mobility/Menu/isLoggedOn endpoint to achieve remote code execution as SYSTEM.

Description

NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in MvcUtil valueStringToObject.

Exploits (1)

metasploit WORKING POC EXCELLENT
by mr_me, wvu · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/netmotion_mobility_mvcutil_deserialization.rb

This Metasploit module exploits an unauthenticated Java deserialization vulnerability in NetMotion Mobility Server's MvcUtil.valueStringToObject() method via the /mobility/Menu/isLoggedOn endpoint to achieve remote code execution as SYSTEM.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: NetMotion Mobility Server versions 11.x before 11.73 and 12.x before 12.02
No auth needed
Prerequisites: Network access to the target server · Vulnerable version of NetMotion Mobility Server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.1
EPSS 0.7767
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (1)
netmotionsoftware/netmotion_mobility < 11.73
Published Feb 08, 2021
Tracked Since Feb 18, 2026