NetMotion Mobility Server MvcUtil Java Deserialization

Posted by deepcore on May 19, 2021 – 6:02 pm

This Metasploit module exploits an unauthenticated Java deserialization in the NetMotion Mobility server’s MvcUtil.valueStringToObject() method, as invoked through the /mobility/Menu/isLoggedOn endpoint, to execute code as the SYSTEM account. Mobility server versions 11.x before 11.73 and 12.x before 12.02 are vulnerable. Tested against 12.01.09045 on Windows Server 2016.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« NiceHash Miner Excavator 1.6.7c Cross Site Request Forgery Microsoft Exchange 2019 Unauthenticated Email Download »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

NetMotion Mobility Server MvcUtil Java Deserialization

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL