cbcvebase.
CVE-2021-21805
published 2021-08-05

CVE-2021-21805: An OS Command Injection vulnerability exists in the ping.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
69.63%
99.3th percentile
An OS Command Injection vulnerability exists in the ping.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary OS command execution. An attacker can send a crafted HTTP request to trigger this vulnerability.

Affected

1 ranges
VendorProductVersion rangeFixed in
advantechr-seenet

Detection & IOCsextracted from sources · hover to see the quote

url/php/ping.php?hostname=|dir
path/php/ping.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Advantech R-SeeNet ping.php Command Injection (CVE-2021-21805)"; flow:established,to_server; http.uri; content:"/php/ping.php|3f|"; fast_pattern; content:"hostname|3d|"; pcre:"/^[^&$]*?(?:[\x3b\x24\x60\x7c]|\x25(?:3[bB]|24|60|7[cC]))/R"; http.method; content:"GET"; reference:url,www.talosintelligence.com/vulnerability_reports/TALOS-2021-1274; reference:cve,2021-21805; classtype:web-application-attack; sid:2065739; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_11_12, cve CVE_2021_21805, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • HTTP GET request to /php/ping.php with a pipe-injected hostname parameter (e.g., hostname=|dir) is the canonical exploit pattern; look for shell metacharacters (;, $, `, |) or their URL-encoded equivalents (%3b, %24, %60, %7c) in the hostname parameter value.
  • Response body containing both 'Ping |dir' and 'bottom.php' simultaneously indicates successful command injection and can be used as a positive match condition.
  • Shodan/FOFA fingerprinting: hosts exposing 'R-SeeNet' or 'r-seenet' in HTTP response body are candidate targets for this CVE.
  • The Snort/ET rule targets only HTTP GET method traffic flowing to the server (to_server); filter on that direction and method to reduce false positives.
  • ·The Snort rule (sid:2065739) includes 'tls_state TLSDecrypt' and 'deployment SSLDecrypt' metadata, meaning it will only fire on TLS-encrypted traffic if SSL inspection/decryption is enabled on the sensor; plain HTTP deployments do not require this.
  • ·The Nuclei template uses a single GET request and matches on HTTP 200 + text/html Content-Type + specific body strings; a hardened or patched instance returning a different status or body will not trigger the matcher, potentially causing false negatives.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.