CVE-2021-47770
Unknown Unknown - Not Provided

Authenticated Remote Code Execution in OpenPLC v3 Hardware Interface

Vulnerability report for CVE-2021-47770, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-21

Last updated on: 2026-01-21

Assigner: VulnCheck

Description

OpenPLC v3 contains an authenticated remote code execution vulnerability that allows attackers with valid credentials to inject malicious code through the hardware configuration interface. Attackers can upload a custom hardware layer with embedded reverse shell code that establishes a network connection to a specified IP and port, enabling remote command execution.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-21
Last Modified
2026-01-21
Generated
2026-07-06
AI Q&A
2026-01-21
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
openplc openplc 3
openplc openplc 4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2021-47770 is an authenticated remote code execution vulnerability in OpenPLC v3. Attackers who have valid credentials can inject malicious code through the hardware configuration interface by uploading a custom hardware layer containing embedded reverse shell code. This code establishes a network connection to an attacker-specified IP and port, allowing the attacker to execute commands remotely on the affected system. [1, 3]

Impact Analysis

This vulnerability allows an attacker with valid credentials to gain remote shell access to the system running OpenPLC v3. By injecting and executing malicious code, the attacker can execute arbitrary commands, potentially leading to full system compromise, unauthorized data access, disruption of industrial control processes, and loss of confidentiality, integrity, and availability of the affected system. [1, 3]

Detection Guidance

Detection involves monitoring for unusual network connections initiated by the OpenPLC server, especially reverse shell connections to unknown IP addresses and ports. On the system, check for suspicious processes related to OpenPLC or unexpected compilation and execution of PLC programs. Network commands such as 'netstat -anp | grep <openplc_process>' or 'ss -tnp | grep <openplc_process>' can help identify active connections. Additionally, reviewing web server logs for POST requests to endpoints like '/upload-program', '/hardware', '/compile-program', and '/start_plc' may indicate exploitation attempts. [3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the OpenPLC web interface to trusted users only, enforcing strong authentication and credential management, and monitoring for unauthorized program uploads or hardware configuration changes. Upgrading to a newer, patched version of OpenPLC (such as OpenPLC v4) is recommended. If upgrade is not immediately possible, disable or restrict the hardware configuration interface and program upload features to prevent code injection. Regularly audit logs and network activity for signs of exploitation. [1, 2, 3]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47770. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart