CVE-2021-47794
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-16

Last updated on: 2026-01-16

Assigner: VulnCheck

Description
ZesleCP 3.1.9 contains an authenticated remote code execution vulnerability that allows attackers to create malicious FTP accounts with shell injection payloads. Attackers can exploit the FTP account creation endpoint by injecting a reverse shell command that establishes a network connection to a specified listening host.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-16
Last Modified
2026-01-16
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47794
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zeslecp zeslecp to 3.1.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47794 is an authenticated remote code execution vulnerability in ZesleCP version 3.1.9 and earlier. It allows an attacker with valid credentials to exploit the FTP account creation functionality by injecting shell commands into the FTP account password field. This injection enables the attacker to execute arbitrary commands on the server, such as creating a reverse shell that connects back to the attacker's machine, effectively granting remote shell access and full system compromise. [2, 3]

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution on the affected server. An attacker can gain shell access, allowing them to execute arbitrary commands, potentially leading to full system compromise, data theft, service disruption, or further network penetration. [2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for suspicious FTP account creation requests in the ZesleCP control panel, especially those containing unusual or shell command injection payloads. Since exploitation involves creating FTP accounts with shell injection payloads that establish reverse shell connections, network detection can focus on identifying unexpected outbound connections on uncommon ports (e.g., port 1337) or to unknown external IPs. Commands to detect exploitation attempts include checking active network connections for suspicious reverse shell connections using tools like `netstat -anp | grep 1337` or `ss -tnp | grep 1337`. Additionally, reviewing web server or ZesleCP logs for POST requests to `/core/ftp` with unusual payloads can help detect attempts. Since the exploit requires authentication, monitoring for unusual login activity on port 2087 (ZesleCP HTTPS port) is also recommended. [2, 3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the ZesleCP control panel to trusted users only, enforcing strong authentication controls, and monitoring for suspicious FTP account creation activity. Applying any available patches or updates from ZesleCP that address this vulnerability is critical. If patches are not available, consider disabling or restricting the FTP account creation functionality temporarily. Additionally, network-level controls such as firewall rules to block outbound connections on uncommon ports (e.g., 1337) can help prevent reverse shell connections. Monitoring and alerting on unusual login or FTP account creation activity is also advised. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47794. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart