CVE-2021-39392
CRITICALMyLittleBackup <= 1.7 - Remote Code Execution via Hardcoded MachineKey Deserialization
Title source: llmDescription
The management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.
References (2)
Core 2
Core References
Broken Link x_refsource_misc
http://www.mylittlebackup.com/mlb/zip/mlb_1.7.zip
Third Party Advisory x_refsource_misc
https://gist.github.com/omriinbar/65827626e63f15e3e50557e2d9d61281
Scores
CVSS v3
9.8
EPSS
0.0219
EPSS Percentile
80.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (1)
mylittletools/mylittlebackup
< 1.7
Published
Sep 15, 2021
Tracked Since
Feb 18, 2026