cbcvebase.
CVE-2021-40845
published 2021-09-15

CVE-2021-40845: The web part of Zenitel AlphaCom XE Audio Server through 11.2.3.10, called AlphaWeb XE, does not restrict file upload in the Custom Scripts section at…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.61%
90.5th percentile
The web part of Zenitel AlphaCom XE Audio Server through 11.2.3.10, called AlphaWeb XE, does not restrict file upload in the Custom Scripts section at php/index.php. Neither the content nor extension of the uploaded files is checked, allowing execution of PHP code under the /cmd directory.

Affected

1 ranges
VendorProductVersion rangeFixed in
zenitelalphacom_xe_audio_server<= 11.2.3.10

Detection & IOCsextracted from sources · hover to see the quote

path/php/index.php
path/php/script_uploads.php
path/cmd/
url/cmd/poc.php?cmd=
command"; $cmd = ($_REQUEST['cmd']); system($cmd); echo ""; die; }?>
  • Alert on any HTTP request to /cmd/ directory containing a 'cmd' query parameter, indicating webshell execution attempt.
  • Detect use of default credentials: admin:alphaadmin and scripter:alphascript in HTTP Basic Authorization headers targeting AlphaWeb XE endpoints.
  • Flag file uploads to /php/script_uploads.php where the uploaded file has a .php extension — the application performs no content or extension validation.
  • Look for the sec-ch-ua header value '" Not A;Brand";v="99", "Chromium";v="92"' in upload requests, which is a static artifact of the public exploit script.
  • ·The exploit requires authentication; it uses two separate credential pairs (admin and scripter roles) via HTTP Basic Auth. Changing default credentials reduces but does not eliminate risk if the upload endpoint remains unrestricted.
  • ·Affected versions are AlphaCom XE Audio Server through 11.2.3.10; verify the exact installed version before applying detections, as patched versions may behave differently.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.