CVE-2021-37425

CRITICAL

Altova MobileTogether Server < 7.3 SP1 - XML External Entity Injection via Workflow Management Endpoint

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-37425. PoCs published by RedTeam Pentesting GmbH.

AI-analyzed exploit summary This exploit demonstrates an XXE vulnerability in Altova MobileTogether Server 7.3, allowing arbitrary file reads and SSRF via crafted XML entities in HTTP requests. The PoC includes detailed steps and examples for file disclosure and internal service access.

Description

Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the certificate and private key.

Exploits (1)

exploitdb WORKING POC

by RedTeam Pentesting GmbH · textwebappsmultiple

https://www.exploit-db.com/exploits/50191

View Code ZIP pw:eip

This exploit demonstrates an XXE vulnerability in Altova MobileTogether Server 7.3, allowing arbitrary file reads and SSRF via crafted XML entities in HTTP requests. The PoC includes detailed steps and examples for file disclosure and internal service access.

Classification

Working Poc 100%

Attack Type

Info Leak | Ssrf | Dos

Complexity

Moderate

Reliability

Reliable

Target: Altova MobileTogether Server 7.3

Auth required

Prerequisites: Access to at least one app on the server · Valid credentials (default: root/root) · Knowledge of absolute file paths

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1005 - Data from Local System T1046 - Network Service Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory x_refsource_misc

https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses

Exploit, Third Party Advisory x_refsource_misc

https://www.redteam-pentesting.de/advisories/rt-sa-2021-002

Vendor Advisory x_refsource_misc

https://www.altova.com/mobiletogether

Exploit, Mailing List, Third Party Advisory x_refsource_misc

http://seclists.org/fulldisclosure/2021/Aug/12

Scores

CVSS v3 9.1

EPSS 0.6628

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Details

CWE

CWE-611

Status published

Products (2)

altova/mobiletogether_server 7.3

altova/mobiletogether_server 7.0 - 7.3

Published Aug 10, 2021

Tracked Since Feb 18, 2026