CVE-2021-47794
BaseFortify
Publication date: 2026-01-16
Last updated on: 2026-01-16
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zeslecp | zeslecp | to 3.1.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47794 is an authenticated remote code execution vulnerability in ZesleCP version 3.1.9 and earlier. It allows an attacker with valid credentials to exploit the FTP account creation functionality by injecting shell commands into the FTP account password field. This injection enables the attacker to execute arbitrary commands on the server, such as creating a reverse shell that connects back to the attacker's machine, effectively granting remote shell access and full system compromise. [2, 3]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution on the affected server. An attacker can gain shell access, allowing them to execute arbitrary commands, potentially leading to full system compromise, data theft, service disruption, or further network penetration. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious FTP account creation requests in the ZesleCP control panel, especially those containing unusual or shell command injection payloads. Since exploitation involves creating FTP accounts with shell injection payloads that establish reverse shell connections, network detection can focus on identifying unexpected outbound connections on uncommon ports (e.g., port 1337) or to unknown external IPs. Commands to detect exploitation attempts include checking active network connections for suspicious reverse shell connections using tools like `netstat -anp | grep 1337` or `ss -tnp | grep 1337`. Additionally, reviewing web server or ZesleCP logs for POST requests to `/core/ftp` with unusual payloads can help detect attempts. Since the exploit requires authentication, monitoring for unusual login activity on port 2087 (ZesleCP HTTPS port) is also recommended. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the ZesleCP control panel to trusted users only, enforcing strong authentication controls, and monitoring for suspicious FTP account creation activity. Applying any available patches or updates from ZesleCP that address this vulnerability is critical. If patches are not available, consider disabling or restricting the FTP account creation functionality temporarily. Additionally, network-level controls such as firewall rules to block outbound connections on uncommon ports (e.g., 1337) can help prevent reverse shell connections. Monitoring and alerting on unusual login or FTP account creation activity is also advised. [2, 3]