CVE-2021-21315
published 2021-02-16CVE-2021-21315: The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system…
PriorityP187high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-02-01
Exploited in the wild
EPSS
90.24%
99.8th percentile
The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | cordova | — | — |
| paloalto | pan-os | — | — |
| sebhildebrandt | systeminformation | < 5.3.1 | 5.3.1 |
| systeminformation | systeminformation | < 5.3.1 | 5.3.1 |
| systeminformation | systeminformation | >= 0 < 5.3.1 | 5.3.1 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NodeJS System Information Library Command Injection Attempt (CVE-2021-21315)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/getServices?name"; fast_pattern; pcre:"/^(?:\x28|\x29|\x3c|\x3e|\x26|\x2a|\xe2|\x80|\x98|\x7c|\x3f|\x3b|\x5b|\x5d|\x5e|\x7e|\x21|\x2e|\xe2|\x80|\x9d|\x25|\x40|\x2f|\x5c|\x3a|\x2b|\x2c|\x60)/R"; content:"|3d|"; within:10; reference:cve,2021-21315; classtype:attempted-admin; sid:2034973; rev:3; metadata:attack_target Server, created_at 2022_01_25, cve CVE_2021_21315, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
- →Exploit requests use HTTP GET to /api/getServices with the 'name' parameter supplied as an array (e.g., name[]=...) containing shell metacharacters or subshell syntax such as $(...)
- →Response body of a successful exploitation attempt will contain the literal injected command string alongside JSON keys 'name', 'running', and 'pids'
- →Successful exploit responses return HTTP 200 with Content-Type: application/json
- →The Emerging Threats Snort rule (SID 2034973) triggers on GET requests to /api/getServices?name where the value begins with shell-special characters (parentheses, angle brackets, pipe, semicolon, brackets, etc.) followed by an '=' sign (hex 3d) within 10 bytes
- →Vulnerable functions that accept unsanitized parameters include si.inetLatency(), si.inetChecksite(), si.services(), and si.processLoad(); passing arrays instead of strings triggers injection
- ·The vulnerability is only exploitable in systeminformation versions prior to 5.3.1; version 5.3.1 and later are patched
- ·Array-type inputs to the vulnerable functions are the trigger; string inputs with proper sanitization are safe, so detection logic should focus on array-style query parameters (e.g., name[])
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.1HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2025-02-12·CVSS 7.1
CVE-2015-5312 [HIGH] PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
T he Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2015-5312, CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, CVE-2016-4738, CVE-2018-1111, CVE-2018-14634, CVE-2018-18653, CVE-2019-0145, CVE-2019-8331, CVE-2020-0599, CVE-2020-14343, CVE-2020-14779, CVE-2020-27844, CVE-2020-29569, CVE-2021-21315, CVE-2021-27853, CVE-2021-27854, CVE-2021-27861, CVE-2021-27862, CVE-2021-3618, CVE-2021-3711, CVE-2022-2097, CVE-2022-22816, CVE-2022-40303, CVE-2022-41723, CVE-2022-41741, CVE-2022-41742, CVE-2023-3247, CVE-2023-38408, CVE-2023-44466, CVE-2023-50781, CVE-2023-50782, CVE-2024-12084, CV
CISA
System Information Library for Node.JS Command Injection
cisa·2022-01-18·CVSS 7.8
CVE-2021-21315 [HIGH] CWE-78 System Information Library for Node.JS Command Injection
Vulnerability: System Information Library for Node.JS Command Injection
Affected: Npm package System Information Library for Node.JS
In this vulnerability, an attacker can send a malicious payload that will exploit the name parameter. After successful exploitation, attackers can execute remote.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-21315
Remediation Due Date: 2022-02-01
OSV
Command Injection Vulnerability
osv·2021-02-16
CVE-2021-21315 [HIGH] Command Injection Vulnerability
Command Injection Vulnerability
### Impact
command injection vulnerability
### Patches
Problem was fixed with a parameter check. Please upgrade to version >= 5.3.1
### Workarounds
If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.
GHSA
Command Injection Vulnerability
ghsa·2021-02-16
CVE-2021-21315 [HIGH] CWE-78 Command Injection Vulnerability
Command Injection Vulnerability
### Impact
command injection vulnerability
### Patches
Problem was fixed with a parameter check. Please upgrade to version >= 5.3.1
### Workarounds
If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.
VulnCheck
System Information Library for Node.JS Command Injection
vulncheck·2021·CVSS 7.1
CVE-2021-21315 [HIGH] CWE-78 System Information Library for Node.JS Command Injection
System Information Library for Node.JS Command Injection
In this vulnerability, an attacker can send a malicious payload that will exploit the name parameter. After successful exploitation, attackers can execute remote.
Affected: Npm package System Information Library for Node.JS
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-february-april-2021/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-18&host_type=src&vulnerability=cve-2021-21315; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-17&host_type=src&vulnerability=cve-2021-21315; htt
Suricata
ET EXPLOIT NodeJS System Information Library Command Injection Attempt (CVE-2021-21315)
suricata·2022-01-25·CVSS 7.1
CVE-2021-21315 [HIGH] ET EXPLOIT NodeJS System Information Library Command Injection Attempt (CVE-2021-21315)
ET EXPLOIT NodeJS System Information Library Command Injection Attempt (CVE-2021-21315)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NodeJS System Information Library Command Injection Attempt (CVE-2021-21315)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/getServices?name"; fast_pattern; pcre:"/^(?:\x28|\x29|\x3c|\x3e|\x26|\x2a|\xe2|\x80|\x98|\x7c|\x3f|\x3b|\x5b|\x5d|\x5e|\x7e|\x21|\x2e|\xe2|\x80|\x9d|\x25|\x40|\x2f|\x5c|\x3a|\x2b|\x2c|\x60)/R"; content:"|3d|"; within:10; reference:cve,2021-21315; classtype:attempted-admin; sid:2034973; rev:3; metadata:attack_target Server, created_at 2022_01_25, cve CVE_2021_21315, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_K
Nuclei
Node.JS System Information Library <5.3.1 - Remote Command Injection
nuclei·CVSS 7.8
CVE-2021-21315 [HIGH] Node.JS System Information Library <5.3.1 - Remote Command Injection
Node.JS System Information Library <5.3.1 - Remote Command Injection
Node.JS System Information Library System before version 5.3.1 is susceptible to remote command injection. Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information.
Template:
id: CVE-2021-21315
info:
name: Node.JS System Information Library <5.3.1 - Remote Command Injection
author: pikpikcu
severity: high
description: Node.JS System Information Library System before version 5.3.1 is susceptible to remote command injection. Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information.
impact: |
Successful exploitation of this vulnerability allows remote atta
Qualys
Identify Server-Side Attacks Using Qualys Periscope | Qualys
blogs_qualys·2022-12-01·CVSS 8.8
[HIGH] Identify Server-Side Attacks Using Qualys Periscope | Qualys
#### Table of Contents
- Potential False Positives
- Potential False Negatives
Qualys previously announced the introduction of Qualys Periscope in 2020. This technology allows Qualys Web Application Scanning (WAS) to detect out-of-band vulnerabilities such as server-side request forgery (SSRF). Qualys Periscope provides confirmed detections for additional vulnerabilities, such as Log4j, where it enables rapid development and release of the QID. Occasionally, Qualys receives questions and support cases related to Qualys Periscope. This article will provide more detail on the common questions/situations seen with out-of-band detections.
As of publishing, the vulnerability detections that utilize Qualys Periscope are:
- QID 150055 – OS Command Injection
- QID 150179 – Blind XXE injection
Qualys
Identify Server-Side Attacks Using Qualys Periscope
blogs_qualys·2022-12-01·CVSS 8.8
[HIGH] Identify Server-Side Attacks Using Qualys Periscope
## Table of Contents
Potential False Positives
Potential False Negatives
Qualys previously announced the introduction of Qualys Periscope in 2020. This technology allows Qualys Web Application Scanning (WAS) to detect out-of-band vulnerabilities such as server-side request forgery (SSRF). Qualys Periscope provides confirmed detections for additional vulnerabilities, such as Log4j, where it enables rapid development and release of the QID. Occasionally, Qualys receives questions and support cases related to Qualys Periscope . This article will provide more detail on the common questions/situations seen with out-of-band detections.
As of publishing, the vulnerability detections that utilize Qualys Periscope are:
QID 150055 – OS Command Injection
QID 150179 – Blind XXE injection
QID 15
Unit42
Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
blogs_unit42·2022-07-21·CVSS 9.8
CVE-2017-5638 [CRITICAL] Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
Threat Research Center
Trend Reports
Vulnerabilities
## Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
Unit 42
Published: July 21, 2022
Trend Reports
Vulnerabilities
Apache Log4j
CVE-2017-5638
CVE-2017-9841
CVE-2018-19986
CVE-2019-02320
CVE-2019-19597
CVE-2019-9082
CVE-2020-14882
CVE-2020-14883
CVE-2020-15505
CVE-2020-15506
CVE-2020-25078
CVE-2020-5902
CVE-2021-21315
CVE-2021-22986
CVE-2021-26855
CVE-2021-31805
CVE-2021-34473
CVE-2021-35464
CVE-2021-38647
CVE-2021-40438
CVE-2021-40539
CVE-2021-41773
CVE-2021-42013
CVE-2021-44228
CVE-2021-45046
CVE-2022-22963
CVE-2022-22965
Network security trends
Unit 42 Network Threat Trends Research Report
## Executive Summary
Tens of thousands of vulnerabilities are repo
Unit42
Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
blogs_unit42·2022-07-21·CVSS 9.8
[CRITICAL] Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
## Executive Summary
Tens of thousands of vulnerabilities are reported every year, but not all are used by threat actors in real-world attacks. There are many reasons for this: a proof of concept (PoC) may not be available for attackers to weaponize, it may be too difficult to exploit the vulnerability, there may be a lack of accessible vulnerable software on the internet, or attackers may simply deem a vulnerability not worth exploiting due to low impact. Real-world defenders need real-world data on which vulnerabilities attackers are choosing to exploit – and where to focus protections.
In the 2022 Unit 42 Network Threat Trends Research Report, we’ve used data captured by the Palo Alto Networks Advanced Threat Prevention security service on Next-Generation Firewall and Prisma SASE from
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of each attack.
## Network Attack Trends February-April 2021: Analysis of the Latest Published Vulnerabilities
From February-April 2021, a total of 4,969 new Common Vulnerabilities and Exposures (CVE) numbers were registered. To better und
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: February-April 2021
Yue Guan
Lei Xu
Vaibhav Singhal
Brock Mammen
Published: July 1, 2021
Trend Reports
Vulnerabilities
Network security trends
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
ZeroDayBench: Evaluating LLM Agents on Unseen Zero-Day Vulnerabilities for Cyberdefense
arxiv_fulltext·2026-03-02
ZeroDayBench: Evaluating LLM Agents on Unseen Zero-Day Vulnerabilities for Cyberdefense
## Abstract
Large language models (LLMs) are increasingly being deployed as software engineering agents that autonomously contribute to repositories. A major benefit these agents present is their ability to find and patch security vulnerabilities in the codebases they oversee. To estimate the capability of agents in this domain, we introduce ZeroDayBench, a benchmark where LLM agents find and patch 22 novel critical vulnerabilities in open-source codebases. We focus our efforts on three popular frontier agentic LLMs: GPT-5.2, Claude Sonnet 4.5, and Grok 4.1. We find that frontier LLMs are not yet capable of autonomously solving our tasks and observe some behavioral patterns that suggest how these models can be improved in the domain of proactive cyberdefense.
## Introduction
Large langu
https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2vhttps://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05%40%3Cissues.cordova.apache.org%3Ehttps://security.netapp.com/advisory/ntap-20210312-0007/https://www.npmjs.com/package/systeminformationhttps://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2vhttps://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05%40%3Cissues.cordova.apache.org%3Ehttps://security.netapp.com/advisory/ntap-20210312-0007/https://www.npmjs.com/package/systeminformationhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21315
2021-02-16
Published
2022-01-18
Added to CISA KEV
Exploited in the wild