CVE-2021-47770
Authenticated Remote Code Execution in OpenPLC v3 Hardware Interface
Publication date: 2026-01-21
Last updated on: 2026-01-21
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openplc | openplc | 3 |
| openplc | openplc | 4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47770 is an authenticated remote code execution vulnerability in OpenPLC v3. Attackers who have valid credentials can inject malicious code through the hardware configuration interface by uploading a custom hardware layer containing embedded reverse shell code. This code establishes a network connection to an attacker-specified IP and port, allowing the attacker to execute commands remotely on the affected system. [1, 3]
How can this vulnerability impact me? :
This vulnerability allows an attacker with valid credentials to gain remote shell access to the system running OpenPLC v3. By injecting and executing malicious code, the attacker can execute arbitrary commands, potentially leading to full system compromise, unauthorized data access, disruption of industrial control processes, and loss of confidentiality, integrity, and availability of the affected system. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for unusual network connections initiated by the OpenPLC server, especially reverse shell connections to unknown IP addresses and ports. On the system, check for suspicious processes related to OpenPLC or unexpected compilation and execution of PLC programs. Network commands such as 'netstat -anp | grep <openplc_process>' or 'ss -tnp | grep <openplc_process>' can help identify active connections. Additionally, reviewing web server logs for POST requests to endpoints like '/upload-program', '/hardware', '/compile-program', and '/start_plc' may indicate exploitation attempts. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the OpenPLC web interface to trusted users only, enforcing strong authentication and credential management, and monitoring for unauthorized program uploads or hardware configuration changes. Upgrading to a newer, patched version of OpenPLC (such as OpenPLC v4) is recommended. If upgrade is not immediately possible, disable or restrict the hardware configuration interface and program upload features to prevent code injection. Regularly audit logs and network activity for signs of exploitation. [1, 2, 3]