cbcvebase.
CVE-2021-26599
published 2022-03-28

CVE-2021-26599: ImpressCMS before 1.4.3 allows include/findusers.php groups SQL Injection.

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.42%
97.0th percentile
ImpressCMS before 1.4.3 allows include/findusers.php groups SQL Injection.

Affected

2 ranges
VendorProductVersion rangeFixed in
impresscmsimpresscms< 1.4.41.4.4
impresscmsimpresscms>= 0 < 1.4.31.4.3

Detection & IOCsextracted from sources · hover to see the quote

urlinclude/findusers.php
otheruser_submit=1&token=<token>&groups[]=<sqli_payload>
  • Detect SQL injection attempts against include/findusers.php via POST parameter groups[] containing SQL metacharacters or SLEEP/PREPARE/EXECUTE patterns
  • Alert on POST requests to modules/system/admin.php with fct=autotasks and op=addautotasks, indicating malicious autotask creation for RCE
  • Detect HTTP requests to ImpressCMS root URL carrying a custom CMD header containing base64-encoded OS commands, used for post-exploitation shell interaction
  • Monitor for time-based blind SQL injection via SLEEP() in groups[] POST parameter to include/findusers.php; responses delayed >=2 seconds indicate exploitation
  • Detect uname=egix login attempts following SQL injection, as the exploit inserts a hardcoded admin user named 'egix' with md5('egix') as password
  • Nuclei/scanner fingerprint: HTTP 200 response to ImpressCMS endpoint containing body string 'array(1) {' indicates a vulnerable version
  • Detect passthru() or base64_decode() injected into ImpressCMS autotask code fields (sat_code parameter), indicating webshell implantation
  • ·The exploit chains CVE-2021-26598 (token disclosure via misc.php) with CVE-2021-26599 (SQL injection via findusers.php groups[]); both CVEs must be present for full RCE chain to succeed
  • ·The SQL injection payload uses MySQL-specific PREPARE/EXECUTE and SLEEP() constructs; detection rules should be scoped to MySQL-backed ImpressCMS deployments
  • ·The exploit inserts a rogue admin user (level=5, groupid=1) directly into the database; post-exploitation forensics should audit users and groups_users_link tables for unexpected entries

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.