CVE-2021-47747
Authenticated Remote Code Execution in meterN 1.2.3 Admin Scripts
Publication date: 2025-12-31
Last updated on: 2025-12-31
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | http_server | 2.4.46 |
| jean-marc_louviaux | metern | 1.2.3 |
| php | php | 7.2.33 |
| jean-marc_louviaux | metern | 0.8.3.2 |
| apache | http_server | 2.4.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated remote code execution (RCE) flaw in meterN versions 1.2.3 and 0.8.3.2. It exists in the admin_meter2.php and admin_indicator2.php scripts, where the application accepts POST parameters 'COMMANDx' and 'LIVECOMMANDx'. These parameters are sanitized using PHP's htmlspecialchars function but are then directly passed to the exec() function without proper validation, allowing an attacker with administrative privileges to execute arbitrary operating system commands remotely. The vulnerability can also be exploited via Cross-Site Request Forgery (CSRF), where an authenticated administrator visiting a malicious website could unknowingly execute arbitrary commands on the server. [1, 3, 4]
How can this vulnerability impact me? :
This vulnerability allows an attacker with administrative access to execute arbitrary system commands on the affected meterN server remotely. This can lead to full compromise of the system, including unauthorized data access, modification, deletion, or disruption of services. Additionally, because the vulnerability can be exploited via CSRF, an attacker could trick an authenticated administrator into executing malicious commands without their knowledge, increasing the risk of system takeover or data breach. [1, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP POST requests to the admin_meter2.php and admin_indicator2.php scripts that include the parameters 'COMMANDx' or 'LIVECOMMANDx'. Suspicious or unexpected POST requests containing these parameters may indicate exploitation attempts. Additionally, reviewing server logs for exec() calls triggered by these parameters can help detect exploitation. A practical detection method is to use tools like curl or wget to simulate POST requests with these parameters to test if the system executes commands. For example, a command to test might be: curl -X POST -d 'COMMANDx=whoami' http://<target>/admin_meter2.php and observe if the response contains the output of the command. Monitoring for unusual command execution or unexpected administrative commands in logs is also recommended. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading meterN to version 1.2.4.1 or later, where the vulnerability has been fixed. If upgrading is not immediately possible, restrict access to the admin_meter2.php and admin_indicator2.php scripts to trusted administrators only, ideally via network-level controls such as firewalls or VPNs. Disable or restrict the use of the 'COMMANDx' and 'LIVECOMMANDx' POST parameters if possible. Additionally, implement CSRF protections to prevent exploitation via malicious websites. Monitoring and logging administrative command executions can help detect exploitation attempts. Applying these mitigations reduces the risk until a full patch can be applied. [3, 4]