Cyber Resilience

CVE-2021-3129

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 12 January 2021

Published
12 January 2021
Modified
10 November 2025
KEV Added
18 September 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9429 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-3129 is a critical-severity an unspecified weakness vulnerability in Facade Ignition. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

Ignition before version 2.5.2, a component used in Laravel and other products, contains a vulnerability that permits unauthenticated remote code execution through insecure handling of file_get_contents() and file_put_contents(). The issue is exploitable specifically when debug mode is enabled in Laravel versions prior to 8.4.2, resulting in a CVSS 3.1 score of 9.8.

Unauthenticated attackers with network access can leverage the flaw to achieve arbitrary code execution on affected systems, gaining full control over confidentiality, integrity, and availability without requiring user interaction or credentials.

Public references, including a GitHub pull request for the Ignition project and detailed analyses on sites such as ambionics.io, point to updates in Ignition 2.5.2 and Laravel 8.4.2 as the primary mitigations, while multiple exploit proofs of concept have been published on PacketStorm.

EU & UK References

Vulnerability details

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.

CWE(s)
KEV Date Added
18 September 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

facade
ignition
≤ 2.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches (Ignition 2.5.2 / Laravel 8.4.2) that eliminate the file_get_contents / file_put_contents RCE vector.

prevent

Mandates disabling non-essential capabilities such as debug mode, which is the specific precondition required to exploit the unauthenticated RCE.

prevent

Requires validation of untrusted input before it is passed to file_get_contents / file_put_contents, limiting the ability to write and execute arbitrary code.

References