CVE-2021-21311 Adminer Database SSRF

ISGroup Cybersecurity

CVE-2021-21311 concerns Adminer, a lightweight database management tool widely distributed as a single PHP file (adminer.php). The vulnerability affects versions 4.0.0 through 4.7.8 that include all database drivers by default. The flaw lies in how Adminer handles responses from certain database drivers (specifically Elasticsearch and ClickHouse), which can expose raw HTTP responses in error messages. The issue was resolved in Adminer 4.7.9. Adminer is often exposed directly to the internet by administrators for convenience, significantly increasing the risk of exploitation. It was added to CISA’s Known Exploited Vulnerabilities Catalog on September 29, 2025.

ProductAdminer
Date2025-10-06 17:18:19
Information
  • Fix Available
  • Active Exploitation

Technical Summary

This is a Server-Side Request Forgery (SSRF) vulnerability with a CVSS v3 base score of 7.2 (High). The vulnerability allows an unauthenticated remote attacker to force Adminer to make arbitrary HTTP requests on behalf of the server on which it is running. Exploitation can lead to: Access to services and APIs available only internally, Exfiltration of sensitive data (e.g., cloud metadata services at 169.254.169.254), Port scanning and lateral movement within internal networks.

Exploits and proof-of-concepts are publicly available. Organizations that expose adminer.php endpoints without restrictions are at particular risk.

Recommendations

  1. Apply the patch immediately: Update Adminer to version 4.7.9 or later to fix the vulnerability.
  2. Restrict access: Limit access to Adminer (adminer.php) using allowlists, VPNs, or authentication controls.
  3. Deploy minimal builds: Use stripped-down builds of Adminer containing only the necessary database drivers, avoiding the full adminer.php file.
  4. Network controls: Block outbound connections from Adminer hosts to sensitive IP ranges (e.g., cloud metadata services).
  5. Monitoring: Implement advanced logging and monitoring to detect suspicious HTTP requests originating from Adminer or errors containing raw HTTP responses.

[Callforaction-THREAT-Footer]