AfterLogic Aurora and WebMail Pro - Path Traversal (CVE-2021-26293)
0Exploiting IPs reported
An issue was discovered in AfterLogic Aurora through 8.5.3 and WebMail Pro through 8.5.3, when DAV is enabled. They allow directory traversal to create new files (such as an executable file under the web root). This is related to DAVServer.php in 8.x and DAV/Server.php in 7.x.
CrowdSec analysis
CVE-2021-26293, a path traversal vulnerability in AfterLogic Aurora and WebMail Pro through version 8.5.3, when DAV is enabled, allows attackers to create arbitrary files—including executable files—under the web root directory. Exploiting this flaw could enable remote code execution or the deployment of malicious scripts, posing a significant risk to the affected systems.
CrowdSec has been tracking this vulnerability and its exploits since 30th of June 2025.
Based on data from the CrowdSec network, nearly all observed exploitation of CVE-2021-26293 is fully opportunistic, with attackers indiscriminately scanning the entire internet. These attacks are automated and lack any form of target selection or reconnaissance. CrowdSec data also reveals a clear uptick in attacks involving CVE-2021-26293 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.
Attackers exploit this vulnerability by sending POST requests to DAV endpoints, attempting to create files via directory traversal, potentially leading to webshell upload or arbitrary file creation.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Common Weakness Enumeration (CWE)
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.