Home

Description

Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers can exploit this vulnerability to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process. This vulnerability has been fixed in version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-01 (UTC).

PUBLISHED Reserved 2026-01-15 | Published 2026-04-07 | Updated 2026-05-14 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

Any version before 4.0.0.7_20210716.180815
affected

Credits

The Shadowserver Foundation reporter

References

www.cnvd.org.cn/flaw/show/CNVD-2021-41972 government-resource

www.cnvd.org.cn/patchInfo/show/280166 patch

cn-sec.com/archives/4631959.html technical-description exploit

avd.aliyun.com/detail?id=AVD-2021-890232 third-party-advisory

www.vulncheck.com/...ystem-command-injection-via-toquery-php third-party-advisory

cve.org (CVE-2021-4473)

nvd.nist.gov (CVE-2021-4473)

Download JSON