Vulnerability detail
Enriched intelligence for a single CVE
Critical
CVE-2021-20837
PUBLISHEDMovable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002...
- Vendor
- Six Apart Ltd.
- Product
- Movable Type
- Published
- Oct 26, 2021
- EPSS
- —
Automate this intelligence with the Pro API
Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.
Description
Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability.
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV:N/AC:L/Au:N/C:P/I:P/A:P
Exploitation status
Exploited in the wild
Recorded 2026-06-08 00:00:00 UTC · The Shadowserver (via CIRCL)
Proof of concept available
Recorded 2021-10-30 09:15:56 UTC · GitHub
References
- https://movabletype.org/news/2021/10/mt-782-683-released.html
- https://jvn.jp/en/jp/JVN41119755/index.html
- http://packetstormsecurity.com/files/164705/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html
- http://packetstormsecurity.com/files/164818/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| The Shadowserver (via CIRCL) First | 2025-06-13 00:00 UTC |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-20837.yaml | Apr 25, 2025 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2021-10-30 09:15:56 UTC · 21 stars
XMLRPC - RCE in MovableTypePoC
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Proof of Concept Exploit Available
-
Detected by Nuclei
-
Added to KEVIntel