cbcvebase.
CVE-2021-4462
published 2025-11-10

CVE-2021-4462: Employee Records System version 1.0 contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload arbitrary files…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.05%
85.9th percentile
Employee Records System version 1.0 contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload arbitrary files via the uploadID.php endpoint; uploaded files can be executed because the application does not perform proper server-side validation. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.

Affected

2 ranges
VendorProductVersion rangeFixed in
employee_records_systememployee_records_system
skittlesemployee_records_system

Detection & IOCsextracted from sources · hover to see the quote

path/dashboard/uploadID.php
path/uploads/employees_ids/
otherContent-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
  • Detect unauthenticated POST requests to /dashboard/uploadID.php with multipart/form-data content type, particularly where the uploaded filename has a .php extension but Content-Type is set to image/png (MIME type mismatch indicating bypass attempt).
  • Monitor for GET requests to /uploads/employees_ids/ for files with .php extensions, which would indicate successful exploitation and attempted execution of an uploaded webshell.
  • The exploit uses the form field name 'employee_ID' to upload a PHP file with a randomized lowercase 5-character basename and .php extension while spoofing Content-Type as image/png.
  • Successful exploitation is confirmed when the response body contains the MD5 hash of the string 'CVE-2021-4462' and the follow-up GET to the uploaded PHP file returns HTTP 200.
  • Active exploitation of this vulnerability was observed in the wild by the Shadowserver Foundation on 2025-02-06 UTC; treat any hits on uploadID.php from unauthenticated sources as high-priority.
  • ·The vulnerability is unauthenticated — no session cookie or authentication token is required to reach the uploadID.php endpoint, meaning perimeter authentication controls alone are insufficient.
  • ·The application does not perform proper server-side validation of uploaded files, so client-supplied MIME types (e.g., image/png) are trusted; detection must inspect actual file content/extension rather than Content-Type headers.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.