CVE-2021-44207: Vulnerability in Acclaim USAHERDS Actively Exploited, CISA Warns
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has raised the alarm on a critical security flaw impacting the Acclaim USAHERDS web application. This vulnerability, officially tracked as CVE-2021-44207 and carrying a CVSS severity score of 8.1, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, underscoring its active exploitation in the wild.
CVE-2021-44207 affects Acclaim USAHERDS versions 7.4.0.1 and earlier, with builds released prior to November 2021. At its core, the vulnerability stems from the use of static ValidationKey and DecryptionKey values within the application. These keys are critical components used to secure the ViewState feature of the application.
The ViewState mechanism ensures the integrity of data exchanged between the client and server by employing cryptographic validation. However, when these keys are static and can be reverse-engineered or otherwise exposed, threat actors can exploit them to construct malicious ViewState payloads.
Upon successful exploitation, attackers can trick the server into deserializing malicious ViewState data, bypassing integrity checks. This deserialization enables attackers to execute arbitrary code on the affected server, potentially compromising the entire system and its associated networks.
CISA has added CVE-2021-44207 to its Known Exploited Vulnerabilities (KEV) catalog, a list of vulnerabilities with confirmed real-world exploitation. This underscores the urgency of the situation and the potential for widespread compromise. Federal agencies have been given a strict deadline of January 13, 2025 to apply the necessary patches and mitigate the risk.