cbcvebase.
CVE-2021-42071
published 2021-10-07

CVE-2021-42071: In Visual Tools DVR VX16 4.2.28.0, an unauthenticated attacker can achieve remote command execution via shell metacharacters in the cgi-bin/slogin/login.py…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
69.88%
99.3th percentile
In Visual Tools DVR VX16 4.2.28.0, an unauthenticated attacker can achieve remote command execution via shell metacharacters in the cgi-bin/slogin/login.py User-Agent HTTP header.

Affected

1 ranges
VendorProductVersion rangeFixed in
visual-toolsdvr_vx16_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/slogin/login.py
command() { :; }; echo ; echo ; /bin/cat /etc/passwd
ua() { :; }; echo ; echo ; /bin/cat /etc/passwd
sigma
GET /cgi-bin/slogin/login.py HTTP/1.1 with User-Agent matching Shellshock pattern: () { :; };
yara
rule CVE_2021_42071_Shellshock_DVR { strings: $ua = "() { :; };" $path = "/cgi-bin/slogin/login.py" condition: $ua and $path }
  • Detect unauthenticated HTTP GET requests to /cgi-bin/slogin/login.py where the User-Agent header contains Shellshock-style metacharacters: '() { :; };'
  • Alert on HTTP responses returning HTTP 200 with body matching 'root:.*:0:0:' following a request to /cgi-bin/slogin/login.py — this indicates successful /etc/passwd exfiltration via command injection.
  • The exploit leverages the Shellshock (CVE-2014-6271) bash function definition syntax in the User-Agent header to inject OS commands; monitor for '() {' patterns in User-Agent fields on DVR endpoints.
  • No authentication is required; any request to the login.py CGI endpoint with a malicious User-Agent is sufficient for exploitation. Flag all unauthenticated requests to this path with non-standard User-Agent values.
  • ·Vulnerability is specific to Visual Tools DVR VX16 firmware version 4.2.28.0 running on Embedded Linux 2.6.35.4; detections should be scoped to this platform/version.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.