MovableType remote code execution
Description
Movable Type versions 6.0.6 and earlier, as well as versions 5.2.11 and earlier, contain a critical vulnerability in the Storable Perl module that allows unauthenticated attackers to perform local file inclusion (LFI) attacks. This vulnerability enables attackers to include and execute arbitrary Perl scripts on the web server, leading to remote code execution. The flaw stems from improper input validation when processing serialized data through the Storable module.
Remediation
Immediately upgrade Movable Type to a patched version to remediate this vulnerability:
For Movable Type 6.0.x users: Upgrade to version 6.0.7 or later
For Movable Type 5.2.x users: Upgrade to version 5.2.12 or later
For Movable Type 5.0.x and 5.1.x users: These versions have reached End of Life and are no longer supported. Migrate to Movable Type 5.2.12 or later immediately
Upgrade steps:
1. Back up your current Movable Type installation, database, and configuration files
2. Download the appropriate patched version from the official Movable Type website
3. Follow the official upgrade documentation for your specific version
4. Test the upgraded installation in a staging environment before deploying to production
5. Verify that the vulnerability has been remediated after upgrade
As an interim mitigation if immediate patching is not possible, restrict network access to the Movable Type administrative interface using firewall rules or web server access controls to trusted IP addresses only.