CVE-2021-47794 | THREATINT

Description

ZesleCP 3.1.9 contains an authenticated remote code execution vulnerability that allows attackers to create malicious FTP accounts with shell injection payloads. Attackers can exploit the FTP account creation endpoint by injecting a reverse shell command that establishes a network connection to a specified listening host.

PUBLISHED Reserved 2026-01-14 | Published 2026-01-15 | Updated 2026-01-16 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

<=3.1.9

affected

Credits

Numan Türle finder

References

www.exploit-db.com/exploits/50233 (ExploitDB-50233) exploit

zeslecp.com/ (ZesleCP Official Website) product

www.youtube.com/watch?v=5lTDTEBVq-0 (Exploit Demonstration Video) exploit

www.vulncheck.com/...remote-code-execution-rce-authenticated (VulnCheck Advisory: ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated)) third-party-advisory

cve.org (CVE-2021-47794)

nvd.nist.gov (CVE-2021-47794)

Download JSON