CVE-2021-47770
Unknown Unknown - Not Provided
Authenticated Remote Code Execution in OpenPLC v3 Hardware Interface

Publication date: 2026-01-21

Last updated on: 2026-01-21

Assigner: VulnCheck

Description
OpenPLC v3 contains an authenticated remote code execution vulnerability that allows attackers with valid credentials to inject malicious code through the hardware configuration interface. Attackers can upload a custom hardware layer with embedded reverse shell code that establishes a network connection to a specified IP and port, enabling remote command execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-01-21
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47770
EUVD
EUVD-2026-3655
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
openplc openplc 3
openplc openplc 4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47770 is an authenticated remote code execution vulnerability in OpenPLC v3. Attackers who have valid credentials can inject malicious code through the hardware configuration interface by uploading a custom hardware layer containing embedded reverse shell code. This code establishes a network connection to an attacker-specified IP and port, allowing the attacker to execute commands remotely on the affected system. [1, 3]

Impact Analysis

This vulnerability allows an attacker with valid credentials to gain remote shell access to the system running OpenPLC v3. By injecting and executing malicious code, the attacker can execute arbitrary commands, potentially leading to full system compromise, unauthorized data access, disruption of industrial control processes, and loss of confidentiality, integrity, and availability of the affected system. [1, 3]

Detection Guidance

Detection involves monitoring for unusual network connections initiated by the OpenPLC server, especially reverse shell connections to unknown IP addresses and ports. On the system, check for suspicious processes related to OpenPLC or unexpected compilation and execution of PLC programs. Network commands such as 'netstat -anp | grep <openplc_process>' or 'ss -tnp | grep <openplc_process>' can help identify active connections. Additionally, reviewing web server logs for POST requests to endpoints like '/upload-program', '/hardware', '/compile-program', and '/start_plc' may indicate exploitation attempts. [3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the OpenPLC web interface to trusted users only, enforcing strong authentication and credential management, and monitoring for unauthorized program uploads or hardware configuration changes. Upgrading to a newer, patched version of OpenPLC (such as OpenPLC v4) is recommended. If upgrade is not immediately possible, disable or restrict the hardware configuration interface and program upload features to prevent code injection. Regularly audit logs and network activity for signs of exploitation. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47770. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart