2021
05.19

This Metasploit module exploits an unauthenticated Java deserialization in the NetMotion Mobility server’s MvcUtil.valueStringToObject() method, as invoked through the /mobility/Menu/isLoggedOn endpoint, to execute code as the SYSTEM account. Mobility server versions 11.x before 11.73 and 12.x before 12.02 are vulnerable. Tested against 12.01.09045 on Windows Server 2016.

No Comment.

Add Your Comment

You must be logged in to post a comment.