CVE-2021-43936
published 2021-12-06CVE-2021-43936: The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the product's…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
35.80%
98.3th percentile
The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the product's environment or lead to arbitrary code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| distributed_data_systems | webhmi | >= 4.1 < 4.1 | 4.1 |
| webhmi | webhmi_firmware | < 4.1 | 4.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect PHP file upload to /files.php with Content-Type application/x-php — a direct indicator of the unrestricted file upload exploitation attempt. ↗
- →Alert on HTTP GET requests to /uploads/files/*.php with a 'cmd' query parameter, indicating execution of a previously uploaded webshell. ↗
- →Monitor for the custom authentication headers X-WH-LOGIN and X-WH-PASSWORD in HTTP POST requests to /api/signin, which are used by the exploit for authenticated login. ↗
- →Detect URL-encoded reverse shell payload patterns in HTTP query strings: presence of %3b (semicolon), mknod, /bin/sh, and nc in a single request indicates exploitation. ↗
- →Successful exploitation results in remote code execution with root privileges; monitor for unexpected outbound netcat (nc) connections from the WebHMI host. ↗
- ·The exploit is authenticated — it requires valid credentials (or chaining with CVE-2021-43931 auth bypass) before the file upload is possible. Detection should account for both authenticated and auth-bypass-assisted exploitation paths. ↗
- ·All WebHMI versions prior to 4.1 are affected; the upload path /uploads/files/ is the default drop location for malicious PHP files and should be monitored or restricted from PHP execution. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9558-55mx-wf4p: The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the p
ghsa_unreviewed·2021-12-07
CVE-2021-43936 [CRITICAL] CWE-434 GHSA-9558-55mx-wf4p: The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the p
The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the product's environment or lead to arbitrary code execution.
VulnCheck
webhmi webhmi_firmware Unrestricted Upload of File with Dangerous Type
vulncheck·2021·CVSS 10.0
CVE-2021-43936 [CRITICAL] webhmi webhmi_firmware Unrestricted Upload of File with Dangerous Type
webhmi webhmi_firmware Unrestricted Upload of File with Dangerous Type
The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the product's environment or lead to arbitrary code execution.
Affected: webhmi webhmi_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.checkpoint.com/security/april-2024s-most-wanted-malware-surge-in-androxgh0st-attacks-and-the-decline-of-lockbit3/; https://blog.checkpoint.com/research/may-2024s-most-wanted-malware-phorpiex-botnet-unleashes-phishing-frenzy-while-lockbit3-dominates-once-again; https://blog.checkpoint.com/r
CISA ICS
Distributed Data Systems WebHMI
cisa_ics·2021-12-02·CVSS 9.8
[CRITICAL] Distributed Data Systems WebHMI
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Distributed Data Systems WebHMI
Last RevisedDecember 02, 2021
Alert CodeICSA-21-336-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Distributed Data Systems
- Equipment: WebHMI
- Vulnerabilities: Authentication Bypass by Primary Weakness, Unrestricted Upload of File with Dangerous Type
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an administrator account login without password authentication and remote code execution with root privileges.
## 3. TECHNICAL DETAILS
## 3.1 AFFEC
No detection rules found.
No writeups or analysis indexed.
2021-12-06
Published
Exploited in the wild