CVE-2021-39144

HIGH KEV NUCLEI

XStream < 1.4.18 - Remote Code Execution via Untrusted Data Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-39144 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 10, 2023. EIP tracks 1 public exploit from researchers including h00die-gr3y, Sina Kheirkhah, Steven Seeley, including a Metasploit module exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2021-39144, an unauthenticated RCE vulnerability in VMware NSX Manager (NSX-V) via XStream deserialization. It leverages a malicious XML payload to execute arbitrary commands as root.

Description

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Exploits (1)

metasploit WORKING POC EXCELLENT
by h00die-gr3y, Sina Kheirkhah, Steven Seeley · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb

This Metasploit module exploits CVE-2021-39144, an unauthenticated RCE vulnerability in VMware NSX Manager (NSX-V) via XStream deserialization. It leverages a malicious XML payload to execute arbitrary commands as root.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VMware NSX Manager (NSX-V) up to and including version 6.4.13
No auth needed
Prerequisites: Network access to the target's API endpoint on port 443
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

XStream 1.4.18 - Remote Code Execution
HIGHby pwnhxl,vicrack

References (13)

Core 13
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
Third Party Advisory vendor-advisory
https://www.debian.org/security/2021/dsa-5004

Scores

CVSS v3 8.5
EPSS 0.9425
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2023-03-10
VulnCheck KEV 2023-03-08
InTheWild.io 2023-03-06
ENISA EUVD EUVD-2021-1771
CWE
CWE-502 CWE-306 CWE-94
Status published
Products (36)
com.thoughtworks.xstream/xstream 0 - 1.4.18Maven
debian/debian_linux 9.0
debian/debian_linux 10.0
debian/debian_linux 11.0
fedoraproject/fedora 33
fedoraproject/fedora 34
fedoraproject/fedora 35
netapp/snapmanager (2 CPE variants)
oracle/business_activity_monitoring 12.2.1.4.0
oracle/commerce_guided_search 11.3.2
... and 26 more
Published Aug 23, 2021
KEV Added Mar 10, 2023
Tracked Since Feb 18, 2026