{
	"id": "e4a88a17-742f-44aa-bc0e-d55865c80b63",
	"created_at": "2026-04-06T00:16:18.516195Z",
	"updated_at": "2026-04-10T03:22:06.382443Z",
	"deleted_at": null,
	"sha1_hash": "4bf62fc73bf41b7cd369ff2c8a34082a091578b6",
	"title": "New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 160197,
	"plain_text": "New Mirai Variant Targets WebSVN Command Injection\r\nVulnerability (CVE-2021-32305)\r\nBy Brock Mammen, Haozhe Zhang\r\nPublished: 2021-08-30 · Archived: 2026-04-05 21:21:49 UTC\r\nExecutive Summary\r\nWe have observed exploits in the wild for a recently disclosed command injection vulnerability affecting\r\nWebSVN, an open-source web application for browsing source code. The critical command injection vulnerability\r\nwas discovered and patched in May 2021. A proof of concept was released and within a week, on June 26, 2021,\r\nattackers exploited the vulnerability to deploy variants of the Mirai DDoS malware. We strongly recommend that\r\nWebSVN users upgrade to the latest software version.\r\nPalo Alto Networks Next-Generation Firewalls protect customers from the exploitation of CVE-2021-32305, and\r\nCortex XDR detects Mirai variants and prevents infection.\r\nRoot Cause and Patch Analysis of CVE-2021-32305\r\nLike many source code browsing tools, WebSVN allows users to search through the revision history to find\r\nrelevant code changes. These search requests are made by sending a query to the backend, which is written in\r\nPHP.\r\nFigure 1. The user’s input is read from the “search” parameter in search.php.\r\nIn versions of WebSVN prior to 2.6.1, the user’s search query is not escaped when it is used in a shell command.\r\nInside include/svnlook.php the function getListSearch is responsible for creating the shell command by\r\nconcatenating the search query with command arguments.\r\nFigure 2. The SVN command is created by concatenating it with the search query.\r\nA function called runCommand inside include/command.php finally executes the command by passing it to PHP’s\r\nproc_open function. The documentation for this function contains the following warning regarding the command\r\nparameter:\r\nhttps://unit42.paloaltonetworks.com/cve-2021-32305-websvn/\r\nPage 1 of 5\n\nFigure 3. PHP documentation.\r\nWithout properly escaping the user’s input, it is possible to achieve code execution by including special characters\r\nin the search query. To fix this vulnerability, the code was changed to sanitize the user input with escapeshellarg\r\nbefore concatenating it to the other command arguments.\r\nFigure 4. Vulnerability patch.\r\nAnother possible solution is to allow proc_open to automatically escape and quote the command by passing an\r\narray of strings as the first argument. This approach might be considered more concise and easier to maintain.\r\nHowever, it would have required making bigger changes to the existing code, and it is not compatible with older\r\nversions of PHP, which is likely the reason this solution was not chosen.\r\nproc_open(['svn', 'list', '-R', '--search', $searchstring, '--xml'], ...);\r\nFigure 5. Hypothetical code for safely running the shell command.\r\nExploitation in the Wild\r\nShortly after CVE-2021-32305 was made public, Unit 42 researchers observed attackers exploiting it in the wild.\r\nOne example of an attack is shown here:\r\nFigure 6. HTTP request.\r\nThe attacker uses command injection to download a shell script that will infect the system with malware. When\r\nabusing these types of web vulnerabilities, some important details about the target environment may be unknown\r\nto the attacker. These details include the operating system and processor architecture that the web server is\r\nrunning. The shell script used in the next step of the attack shows how the attacker can overcome this issue:\r\nhttps://unit42.paloaltonetworks.com/cve-2021-32305-websvn/\r\nPage 2 of 5\n\nFigure 7. Shell script\r\nMalicious Linux binaries are provided for 12 different architectures. Instead of detecting which one is correct for\r\nthe target environment, a brute force approach is taken. The script simply downloads and attempts to execute the\r\nbinaries for every one of the possible architectures, disregarding any incompatibility errors. Although WebSVN is\r\na cross-platform PHP application capable of running on many operating systems, only Linux binaries are used in\r\nthis attack.\r\nMalware Analysis\r\nAnalysis of this malware reveals that it is used to perform distributed denial of service (DDoS) attacks and that it\r\nshares some of its code with the Mirai botnet family. To reduce the size of the executable files, each one is\r\ncompressed with a modified version of the popular open-source packer, UPX. Because the packer is modified, it is\r\nless likely for reverse engineering tools to succeed in automatically unpacking the executable files, requiring more\r\nmanual effort for analysis. Additionally, the malware achieves portability by statically linking all of its\r\ndependencies and making system calls directly inside the code.\r\nAfter the malware is executed, it continuously tries to connect to its command and control (C2) server on port 666.\r\nOnce it establishes a connection, it communicates using a custom text-based TCP protocol. It begins by informing\r\nthe C2 of its architecture, and then it awaits commands from the operator.\r\nFigure 8. Main loop for processing C2 commands.\r\nThe main purpose of this malware family is to perform DDoS attacks, and the effectiveness of an attack depends\r\non the network protocols and techniques that are used. In the analyzed sample, there are eight types of attacks,\r\neach designed to be effective against a different type of target. The following table shows the commands the\r\nmalware operator can send to initiate each one.\r\nCommand Protocol Description\r\nOVHHEX UDP Targets servers hosted by OVH, a French cloud computing company.\r\nhttps://unit42.paloaltonetworks.com/cve-2021-32305-websvn/\r\nPage 3 of 5\n\nUDPBYPASS UDP\r\nAttempts to bypass network mitigations by sending crafted packets at\r\ncalculated time intervals.\r\nNFOHEX UDP Floods the target with randomly generated hex-encoded data.\r\nSTD UDP Randomly sends packets from a list of three predefined payloads.\r\nVSE UDP Targets game servers built with Valve Source Engine.\r\nTCP TCP General attack for TCP-based protocols.\r\nSYN TCP Sends SYN packets to imitate a TCP connection request.\r\nACK TCP Sends ACK packets to imitate acknowledgement messages.\r\nTable 1. DDoS methods.\r\nConclusion\r\nWe observed exploits in the wild for a recently disclosed command injection vulnerability affecting WebSVN. In\r\none particular attack, the vulnerability is used to deploy DDoS malware. Attackers will continue to exploit the\r\nlatest vulnerabilities to expand their army of infected devices and increase the strength of their DDoS attacks.\r\nCustomers are strongly advised to upgrade to the latest software version.\r\nPalo Alto Networks Next-Generation Firewall customers are protected by the subscriptions:\r\nThreat Prevention can block the attack with best practices via Threat Prevention Signature 91280.\r\nWildFire accurately detects and blocks these attacks.\r\nAdvanced URL Filtering blocks malicious malware domains.\r\nCortex XDR detects Mirai variants and prevents infection.\r\nIndicators of Compromise\r\n75.119.143[.]229\r\ne6f20e73af6cc393dd139b32117a8681e15edfe61c157f3509d1e740184b3d5c\r\nc782f9cdec637503472bc62d25348cefccc3de58244441547f3e2ed9b22c6c93\r\n63c2cae1f3d04d81a4a1dcd773c62d7e9a71cf7e3ae0c5a9f931353e86f11651\r\n3cc3d7d32e8c85e0c594ca5cb2ecfbfba66ebbc1853bcb02c2a39fce9f238dbc\r\ndc7cf2212f09482ac034eb7e9f89ef0cec8bc9532d4fe2db8a880c2e1e4ee8a2\r\n8cc43db17480170fac3213518fe18d52a5648ce04060561d6359d6c589a4321c\r\nb09c85e75f65a9acc4693957caf4b4c56dd808c7d0d657c1bc9f74a1bd772abe\r\na55a2318e95dcfbe2d2082ee569642034ab05168fa0142ff1009798131b61f52\r\nb43fd19dfeeb89507f9de162e7a727fa6024ca4b1d19cb5c44e53755200f2b66\r\n7dc972346b9f82709bbcaabc30f126984468e60f2b085091471a9796ac4539b9\r\nhttps://unit42.paloaltonetworks.com/cve-2021-32305-websvn/\r\nPage 4 of 5\n\nf4d851908e900d9201597f898cbb4420772a935901f25a77b31fc80e7cbc88b3\r\n889cc2a3e06c5770ff23017aa067cd8a01b8b410e143e9da63542ead7ce484da\r\nAdditional Resources\r\nUnit 42 research on Mirai\r\nSource: https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/\r\nhttps://unit42.paloaltonetworks.com/cve-2021-32305-websvn/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/"
	],
	"report_names": [
		"cve-2021-32305-websvn"
	],
	"threat_actors": [],
	"ts_created_at": 1775434578,
	"ts_updated_at": 1775791326,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4bf62fc73bf41b7cd369ff2c8a34082a091578b6.pdf",
		"text": "https://archive.orkl.eu/4bf62fc73bf41b7cd369ff2c8a34082a091578b6.txt",
		"img": "https://archive.orkl.eu/4bf62fc73bf41b7cd369ff2c8a34082a091578b6.jpg"
	}
}