1. Home
  2. Mapping Frameworks
  3. Known Exploited Vulnerabilities Home
  4. Unrestricted File Upload Capability Group

Known Exploited Vulnerabilities Unrestricted File Upload Capability Group

All Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2018-15961 Adobe ColdFusion Unrestricted File Upload Vulnerability primary_impact T1491.002 External Defacement
Comments
In the wild, this CVE was seen to result in defacement.
References
  1. https://www.volexity.com/blog/2018/11/08/active-exploitation-of-newly-patched-coldfusion-vulnerability-cve-2018-15961/
  2. https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html
CVE-2018-15961 Adobe ColdFusion Unrestricted File Upload Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
This vulnerability is exploited by uploading a file to a public-facing ColdFusion server.
References
  1. https://www.volexity.com/blog/2018/11/08/active-exploitation-of-newly-patched-coldfusion-vulnerability-cve-2018-15961/
  2. https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html
CVE-2021-3129 Laravel Ignition File Upload Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
This vulnerability is exploited when a remote unauthorized user sends a malicious payload to a server using an insecure version of Ignition. The payload targets the MakeViewVariableOptionalSolution.php module, leveraging insecure PHP functions file_get_contents and file_put_contents to specify a file path for executing arbitrary code.
References
  1. https://blog.sonicwall.com/en-us/2021/04/laravel-ignition-remote-code-execution-vulnerability/
  2. https://isc.sans.edu/diary/Laravel+v842+exploit+attempts+for+CVE20213129+debug+mode+Remote+code+execution/27758
  3. https://pentest-tools.com/blog/exploit-rce-vulnerability-laravel-cve-2021-3129
CVE-2021-3129 Laravel Ignition File Upload Vulnerability primary_impact T1059 Command and Scripting Interpreter
Comments
This vulnerability is exploited when a remote unauthorized user sends a malicious payload to a server using an insecure version of Ignition. The payload targets the MakeViewVariableOptionalSolution.php module, leveraging insecure PHP functions file_get_contents and file_put_contents to specify a file path for executing arbitrary code.
References
  1. https://blog.sonicwall.com/en-us/2021/04/laravel-ignition-remote-code-execution-vulnerability/
  2. https://isc.sans.edu/diary/Laravel+v842+exploit+attempts+for+CVE20213129+debug+mode+Remote+code+execution/27758
  3. https://pentest-tools.com/blog/exploit-rce-vulnerability-laravel-cve-2021-3129
CVE-2021-27860 FatPipe WARP, IPVPN, and MPVPN Configuration Upload exploit primary_impact T1505.003 Web Shell
Comments
CVE-2021-27860 is a vulnerability in the web management interface in FatPipe software. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors.
References
  1. https://www.itnews.com.au/news/volt-typhoon-attacks-attributed-to-china-596209
  2. https://www.ic3.gov/CSA/2021/211117-2.pdf
  3. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
CVE-2021-27860 FatPipe WARP, IPVPN, and MPVPN Configuration Upload exploit exploitation_technique T1190 Exploit Public-Facing Application
Comments
CVE-2021-27860 is a vulnerability in the web management interface in FatPipe software. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors.
References
  1. https://www.itnews.com.au/news/volt-typhoon-attacks-attributed-to-china-596209
  2. https://www.ic3.gov/CSA/2021/211117-2.pdf
  3. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
CVE-2021-22005 VMware vCenter Server File Upload Vulnerability primary_impact T1059 Command and Scripting Interpreter
Comments
This vulnerability is exploited by an adversary who can access the vCenter Server over the network. The adversary uploads a crafted file to the server's analytics service via port 443, exploiting the file upload vulnerability. This results in remote code execution on the host. Threat actors have been observed leveraging this vulnerability, identified as CVE-2021-22005, using code released by security researcher Jang, to gain unauthorized access to vCenter servers.
References
  1. https://arcticwolf.com/resources/blog/critical-vulnerability-in-vmware-vcenter-server-cve-2021-22005/
  2. https://securityaffairs.com/122686/hacking/cve-2021-22005-exploit-vmware-vcenter.html
CVE-2021-22005 VMware vCenter Server File Upload Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
This vulnerability is exploited by an adversary who can access the vCenter Server over the network. The adversary uploads a crafted file to the server's analytics service via port 443, exploiting the file upload vulnerability. This results in remote code execution on the host. Threat actors have been observed leveraging this vulnerability, identified as CVE-2021-22005, using code released by security researcher Jang, to gain unauthorized access to vCenter servers.
References
  1. https://arcticwolf.com/resources/blog/critical-vulnerability-in-vmware-vcenter-server-cve-2021-22005/
  2. https://securityaffairs.com/122686/hacking/cve-2021-22005-exploit-vmware-vcenter.html
CVE-2021-22900 Ivanti Pulse Connect Secure Unrestricted File Upload Vulnerability primary_impact T1068 Exploitation for Privilege Escalation
Comments
This vulnerability is exploited through multiple unrestricted uploads. Adversaries with authenticated administrator privileges leverage this vulnerability to perform unauthorized file writes on the system via a maliciously crafted archive upload within the administrator web interface in Pulse Connect Secure.
References
  1. https://www.clouddefense.ai/cve/2021/CVE-2021-22900
  2. https://forums.ivanti.com/s/article/SA44784?language=en_US
CVE-2021-22900 Ivanti Pulse Connect Secure Unrestricted File Upload Vulnerability exploitation_technique T1059 Command and Scripting Interpreter
Comments
This vulnerability is exploited through multiple unrestricted uploads. Adversaries with authenticated administrator privileges leverage this vulnerability to perform unauthorized file writes on the system via a maliciously crafted archive upload within the administrator web interface in Pulse Connect Secure.
References
  1. https://www.clouddefense.ai/cve/2021/CVE-2021-22900
  2. https://forums.ivanti.com/s/article/SA44784?language=en_US
CVE-2022-29464 WSO2 Multiple Products Unrestrictive Upload of File Vulnerability secondary_impact T1496 Resource Hijacking
Comments
CVE-2022-29464 is an unrestricted file upload vulnerability where an adversary can upload arbitrary files and, due to a directory traversal issue, write files to locations where they can then send commands. Adversaries have been seen to use this to mine cryptocurrency.
References
  1. https://www.trendmicro.com/en_us/research/22/e/patch-your-wso2-cve-2022-29464-exploited-to-install-linux-compatible-cobalt-strike-beacons-other-malware.html
  2. https://www.rapid7.com/blog/post/2022/04/22/opportunistic-exploitation-of-wso2-cve-2022-29464/
CVE-2022-29464 WSO2 Multiple Products Unrestrictive Upload of File Vulnerability primary_impact T1202 Indirect Command Execution
Comments
CVE-2022-29464 is an unrestricted file upload vulnerability where an adversary can upload arbitrary files and, due to a directory traversal issue, write files to locations where they can then send commands. Adversaries have been seen to use this to mine cryptocurrency.
References
  1. https://www.rapid7.com/blog/post/2022/04/22/opportunistic-exploitation-of-wso2-cve-2022-29464/
CVE-2022-29464 WSO2 Multiple Products Unrestrictive Upload of File Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
CVE-2022-29464 is an unrestricted file upload vulnerability where an adversary can upload arbitrary files and, due to a directory traversal issue, write files to locations where they can then send commands. Adversaries have been seen to use this to mine cryptocurrency.
References
  1. https://www.trendmicro.com/en_us/research/22/e/patch-your-wso2-cve-2022-29464-exploited-to-install-linux-compatible-cobalt-strike-beacons-other-malware.html
  2. https://www.rapid7.com/blog/post/2022/04/22/opportunistic-exploitation-of-wso2-cve-2022-29464/

Capabilities

Capability ID Capability Name Number of Mappings
CVE-2021-27860 FatPipe WARP, IPVPN, and MPVPN Configuration Upload exploit 2
CVE-2022-29464 WSO2 Multiple Products Unrestrictive Upload of File Vulnerability 3
CVE-2021-3129 Laravel Ignition File Upload Vulnerability 2
CVE-2021-22005 VMware vCenter Server File Upload Vulnerability 2
CVE-2018-15961 Adobe ColdFusion Unrestricted File Upload Vulnerability 2
CVE-2021-22900 Ivanti Pulse Connect Secure Unrestricted File Upload Vulnerability 2