IRONSMITHINTEL
MEDIUMCVSS6.8
|
Actively Exploited
|CISA KEV|CVE-2021-22204|Auth: none — unauthenticated|Reboot: required|Manual only

ExifTool Remote Code Execution Vulnerability

Improper neutralization of user data in the DjVu file format in Exiftool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

Published Apr 23, 2021 · Updated May 16, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A local attacker, without authentication, can achieve partial data exposure, partial data tampering, partial service disruption. Federal agencies are required to remediate by 2021-12-01 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Code Injection (CWE-94) vulnerability in Perl Exiftool. Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image Exploitation requires local access, low attack complexity, no authentication required, and no user interaction required.

Am I affected?Quick check

Probably yes if any of these apply:

IT Security
Running exiftool: 7.44 ≤ v < 12.24; debian linux: 9.0, 10.0; fedora: 32, 33, 34
Real-world incidentsWhat we've seen

Active exploitation documented in the wild. Threat-research write-up: http://packetstormsecurity.com/files/162558/ExifTool-DjVu-ANT-Perl-Injection.html

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply updates per vendor instructions.

References

    1
    Vendor advisory: https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2021-22204
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22204
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2021-22204NVDVendor Advisory