cbcvebase.
CVE-2021-43936
published 2021-12-06

CVE-2021-43936: The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the product's…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
35.80%
98.3th percentile
The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the product's environment or lead to arbitrary code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
distributed_data_systemswebhmi>= 4.1 < 4.14.1
webhmiwebhmi_firmware< 4.14.1

Detection & IOCsextracted from sources · hover to see the quote

path/api/signin
path/login.php
path/files.php
path/uploads/files/cmd.php
filenamecmd.php
cookieX-WH-SESSION-ID
cookieX-WH-CHECK-TRIAL=true
  • Detect PHP file upload to /files.php with Content-Type application/x-php — a direct indicator of the unrestricted file upload exploitation attempt.
  • Alert on HTTP GET requests to /uploads/files/*.php with a 'cmd' query parameter, indicating execution of a previously uploaded webshell.
  • Monitor for the custom authentication headers X-WH-LOGIN and X-WH-PASSWORD in HTTP POST requests to /api/signin, which are used by the exploit for authenticated login.
  • Detect URL-encoded reverse shell payload patterns in HTTP query strings: presence of %3b (semicolon), mknod, /bin/sh, and nc in a single request indicates exploitation.
  • Successful exploitation results in remote code execution with root privileges; monitor for unexpected outbound netcat (nc) connections from the WebHMI host.
  • ·The exploit is authenticated — it requires valid credentials (or chaining with CVE-2021-43931 auth bypass) before the file upload is possible. Detection should account for both authenticated and auth-bypass-assisted exploitation paths.
  • ·All WebHMI versions prior to 4.1 are affected; the upload path /uploads/files/ is the default drop location for malicious PHP files and should be monitored or restricted from PHP execution.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.