CVE-2021-47728 | THREATINT

Description

Selea Targa IP OCR-ANPR Camera contains an unauthenticated command injection vulnerability in utils.php that allows remote attackers to execute arbitrary shell commands. Attackers can exploit the 'addr' and 'port' parameters to inject commands and gain www-data user access through chained local file inclusion techniques.

PUBLISHED Reserved 2025-12-07 | Published 2025-12-09 | Updated 2025-12-12 | Assigner VulnCheck

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

unaffected

Unknown

affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.exploit-db.com/exploits/49460 (ExploitDB-49460) exploit

www.selea.com (Selea Homepage) product

www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5620.php (Zero Science Lab Disclosure (ZSL-2021-5620)) third-party-advisory

github.com/zeroscience (Zero Science GitHub Repository) product

www.vulncheck.com/...-camera-remote-code-execution-via-utils (VulnCheck Advisory: Selea Targa IP Camera Remote Code Execution via Utils) third-party-advisory

cve.org (CVE-2021-47728)

nvd.nist.gov (CVE-2021-47728)

Download JSON