New Mirai Version Adds WebSVN Command Injection to Its Arsenal


Level 75
Content Creator
Malware Hunter
Aug 17, 2014
  • Latest Mirai variant features an exploit for unpatched versions of the WebSVN.
  • Mirai nests in the target system by using a published exploit and turns it into a part of its DDoS swarm.
  • The malware can accept commands remotely, using a custom text-based TCP protocol for the communications.
If you haven’t patched CVE-2021-32305 yet, you are currently running the risk of being compromised by the Mirai DDoS malware. The particular vulnerability was discovered and patched in May 2021 and affects the WebSVN subversion repository browser.

At the start of June 2021, a proof of concept exploit was released to the public, and by the end of the month, attacks were already exploiting the flaw. Mirai’s authors are always ready to update their botnet with new exploits, and they have already incorporated the fresh flaw that remains unaddressed in a significant number of deployments.

The WebSVN versions that are vulnerable to exploitation include everything prior to 2.6.1. The problem lies in the possibility of achieving code execution by including special characters in the search query sent to the PHP backend. Because older WebSVN versions don’t sanitize the user input before concatenating it to the other command arguments, an attacker may sneak in command arguments and execute them on the target.