Cyber Resilience

CVE-2021-21311

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 11 February 2021

Published
11 February 2021
Modified
24 October 2025
KEV Added
29 September 2025
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.9411 99.9th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-21311 is a high-severity SSRF (CWE-918) vulnerability in Adminer Adminer. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

Adminer is an open-source database management tool distributed as a single PHP file. It is affected by a server-side request forgery vulnerability in versions 4.0.0 through 4.7.8 that impacts users of builds bundling all drivers, such as adminer.php. The flaw is identified as CWE-918 and carries a CVSS 3.1 score of 7.2.

An unauthenticated remote attacker can send crafted requests to the Adminer instance to induce the server into making arbitrary outbound connections, resulting in limited impacts to confidentiality and integrity in the server's security context.

The issue is resolved in version 4.7.9. The project has published a security advisory and corresponding code commit, while Debian has issued an LTS announcement and the package metadata is tracked on Packagist to support patching.

EU & UK References

Vulnerability details

Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed…

more

in version 4.7.9.

CWE(s)
KEV Date Added
29 September 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adminer
adminer
4.0.0 — 4.7.9
debian
debian linux
9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces information flow policies that block the server from initiating arbitrary outbound connections triggered by crafted SSRF requests.

prevent

Restricts and monitors outbound network traffic at system boundaries, directly preventing the unauthorized external requests enabled by the SSRF flaw.

prevent

Validates all user-supplied input to Adminer to reject malicious parameters that induce server-side outbound connections.

References