CVE-2021-27198

CRITICAL

Visualware Myconnection Server < 11.1a - Unrestricted File Upload

Title source: rule

Description

An issue was discovered in Visualware MyConnection Server before v11.1a. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system.

Exploits (1)

nomisec WORKING POC

by rwincey · poc

https://github.com/rwincey/CVE-2021-27198

View Code ZIP pw:eip

References (5)

[Product, Vendor Advisory] https://myconnectionserver.visualware.com/download.html

[Release Notes, Vendor Advisory] https://myconnectionserver.visualware.com/support/newrelease.html

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2021/Feb/81

[Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/161571/VisualWare-MyConnection-Server-11.x-Remote-Code-Execution.html

[Third Party Advisory] https://www.securifera.com/advisories/cve-2021-27198/

Scores

CVSS v3 9.8

EPSS 0.1415

EPSS Percentile 94.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

visualware/myconnection_server < 11.1a

Published Feb 26, 2021

Tracked Since Feb 18, 2026