CVE-2021-21805
published 2021-08-05CVE-2021-21805: An OS Command Injection vulnerability exists in the ping.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
69.63%
99.3th percentile
An OS Command Injection vulnerability exists in the ping.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary OS command execution. An attacker can send a crafted HTTP request to trigger this vulnerability.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advantech | r-seenet | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/php/ping.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Advantech R-SeeNet ping.php Command Injection (CVE-2021-21805)"; flow:established,to_server; http.uri; content:"/php/ping.php|3f|"; fast_pattern; content:"hostname|3d|"; pcre:"/^[^&$]*?(?:[\x3b\x24\x60\x7c]|\x25(?:3[bB]|24|60|7[cC]))/R"; http.method; content:"GET"; reference:url,www.talosintelligence.com/vulnerability_reports/TALOS-2021-1274; reference:cve,2021-21805; classtype:web-application-attack; sid:2065739; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_11_12, cve CVE_2021_21805, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →HTTP GET request to /php/ping.php with a pipe-injected hostname parameter (e.g., hostname=|dir) is the canonical exploit pattern; look for shell metacharacters (;, $, `, |) or their URL-encoded equivalents (%3b, %24, %60, %7c) in the hostname parameter value.
- →Response body containing both 'Ping |dir' and 'bottom.php' simultaneously indicates successful command injection and can be used as a positive match condition.
- →Shodan/FOFA fingerprinting: hosts exposing 'R-SeeNet' or 'r-seenet' in HTTP response body are candidate targets for this CVE.
- →The Snort/ET rule targets only HTTP GET method traffic flowing to the server (to_server); filter on that direction and method to reduce false positives.
- ·The Snort rule (sid:2065739) includes 'tls_state TLSDecrypt' and 'deployment SSLDecrypt' metadata, meaning it will only fire on TLS-encrypted traffic if SSL inspection/decryption is enabled on the sensor; plain HTTP deployments do not require this.
- ·The Nuclei template uses a single GET request and matches on HTTP 200 + text/html Content-Type + specific body strings; a hardened or patched instance returning a different status or body will not trigger the matcher, potentially causing false negatives.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r4xf-pp9q-gmx5: An OS Command Injection vulnerability exists in the ping
ghsa_unreviewed·2022-05-24
CVE-2021-21805 [CRITICAL] CWE-78 GHSA-r4xf-pp9q-gmx5: An OS Command Injection vulnerability exists in the ping
An OS Command Injection vulnerability exists in the ping.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary OS command execution. An attacker can send a crafted HTTP request to trigger this vulnerability.
VulnCheck
advantech r-seenet Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-21805 [CRITICAL] advantech r-seenet Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
advantech r-seenet Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An OS Command Injection vulnerability exists in the ping.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary OS command execution. An attacker can send a crafted HTTP request to trigger this vulnerability.
Affected: advantech r-seenet
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-24&host_type=src&vulnerability=cve-2021-21805; https://dashboard.shadowserver.org/statistics/honeypot/vulnerabi
Suricata
ET WEB_SPECIFIC_APPS Advantech R-SeeNet ping.php Command Injection (CVE-2021-21805)
suricata·2025-11-12·CVSS 9.8
CVE-2021-21805 [CRITICAL] ET WEB_SPECIFIC_APPS Advantech R-SeeNet ping.php Command Injection (CVE-2021-21805)
ET WEB_SPECIFIC_APPS Advantech R-SeeNet ping.php Command Injection (CVE-2021-21805)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Advantech R-SeeNet ping.php Command Injection (CVE-2021-21805)"; flow:established,to_server; http.uri; content:"/php/ping.php|3f|"; fast_pattern; content:"hostname|3d|"; pcre:"/^[^&$]*?(?:[\x3b\x24\x60\x7c]|\x25(?:3[bB]|24|60|7[cC]))/R"; http.method; content:"GET"; reference:url,www.talosintelligence.com/vulnerability_reports/TALOS-2021-1274; reference:cve,2021-21805; classtype:web-application-attack; sid:2065739; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_11_12, cve CVE_2021_21805, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag
Nuclei
Advantech R-SeeNet 2.4.12 - OS Command Injection
nuclei·CVSS 9.8
CVE-2021-21805 [CRITICAL] Advantech R-SeeNet 2.4.12 - OS Command Injection
Advantech R-SeeNet 2.4.12 - OS Command Injection
Advantech R-SeeNet 2.4.12 is susceptible to remote OS command execution via the ping.php script functionality. An attacker, via a specially crafted HTTP request, can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Template:
id: CVE-2021-21805
info:
name: Advantech R-SeeNet 2.4.12 - OS Command Injection
author: arafatansari
severity: critical
description: |
Advantech R-SeeNet 2.4.12 is susceptible to remote OS command execution via the ping.php script functionality. An attacker, via a specially crafted HTTP request, can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without
Talos
Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet
blogs_talos·2021-07-15·CVSS 6.1
[MEDIUM] Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet
The Talos vulnerability research team discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered multiple vulnerabilities in the Advantech R-SeeNet monitoring software.
R-SeeNet is the software system used for monitoring Advantech routers. It continuously collects information from individual routers in the network and records the data into a SQL database. The vulnerabilities Talos discovered exist in various scripts inside of R-SeeNet's web applications.
TALOS-2021-1270 (CVE-2021-21799), TALOS-2021-1271 (CVE-2021-21800) and TALOS-2021-1272 (CVE-2021-21801 - CVE-2021-21803) are all vulnerabilities that could allow an attacker to execute arbitrary JavaScript code in the context of the targeted user's browser. An adversary could exploit any of these vulnerabilit
Talos
Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet
blogs_talos·2021-07-15·CVSS 6.1
[MEDIUM] Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet
## Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet
The Talos vulnerability research team discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered multiple vulnerabilities in the Advantech R-SeeNet monitoring software.
R-SeeNet is the software system used for monitoring Advantech routers. It continuously collects information from individual routers in the network and records the data into a SQL database. The vulnerabilities Talos discovered exist in various scripts inside of R-SeeNet's web applications.
TALOS-2021-1270 (CVE-2021-21799), TALOS-2021-1271 (CVE-2021-21800) and TALOS-2021-1272 (CVE-2021-21801 - CVE-2021-21803) are all vulnerabilities that could allow an attacker to execute arbitrary JavaScript code in the context of the t
2021-08-05
Published
Exploited in the wild