CVE-2021-47745
Authenticated Command Injection in Cypress CTM-200 Firmware Upgrade
Publication date: 2025-12-31
Last updated on: 2025-12-31
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cypress_solutions | ctm-200 | 2.0.5.3356-184 |
| cypress_solutions | ctm-200 | 2.7.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47745 is an authenticated command injection vulnerability in the Cypress Solutions CTM-200 firmware upgrade process. Specifically, the vulnerability exists in the 'ctm-config-upgrade.sh' script, where the 'fw_url' parameter is not properly sanitized. An attacker with valid credentials can inject arbitrary shell commands via this parameter, which are then executed with root privileges on the device. This allows the attacker to run any command on the system remotely, leading to a full compromise of the device. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability allows an authenticated remote attacker to execute arbitrary commands as the root user on the affected device. This can lead to full system compromise, unauthorized access to sensitive data, disruption of device functionality, and potential use of the device as a foothold for further attacks within a network. Since the device is often used in industrial or SCADA communication environments, exploitation could impact critical infrastructure or mobile fleet operations. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the authenticated command injection in the firmware upgrade script. Specifically, sending a multipart/form-data POST request to the endpoint `/cgi-bin/webif/ctm-config-upgrade.sh` with the `fw_url` parameter set to a command such as `id` can confirm the vulnerability if the response shows output like `gid=0(root)/uid=0(root)`. This indicates that arbitrary commands are executed with root privileges. Detection involves verifying if the device responds to such crafted requests, which require valid authentication. Example command (using curl) to test the vulnerability: `curl -k -u <username>:<password> -X POST -F 'install_fw_url=1' -F 'fw_url=id' https://<target-ip>/cgi-bin/webif/ctm-config-upgrade.sh` and check if the response contains root user information. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable firmware upgrade interface to trusted administrators only, ensuring strong authentication credentials are used, and monitoring for any unauthorized attempts to access the `/cgi-bin/webif/ctm-config-upgrade.sh` script. Since the vulnerability requires authentication, limiting user privileges and network exposure reduces risk. Additionally, applying any available firmware updates or patches from Cypress Solutions that address this issue is critical. If no patch is available, consider disabling the firmware upgrade functionality remotely or isolating the device from untrusted networks until a fix is applied. [1, 2, 3]