cbcvebase.
CVE-2021-4463
published 2025-11-12

CVE-2021-4463: Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint…

PriorityP267high8.7CVSS 4.0
AVNACLATNPRNUINVCHVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.35%
68.0th percentile
Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint. The 'fileName' parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory.

Affected

1 ranges
VendorProductVersion rangeFixed in
shenzhen_longjing_technology_co_ltdbems_api<= 1.21

Detection & IOCsextracted from sources · hover to see the quote

url/api/downloads?fileName=../../../../../../../../etc/passwd
path/api/downloads
  • Send an unauthenticated HTTP GET request to /api/downloads with a fileName parameter containing directory traversal sequences (e.g., ../../../../../../../../etc/passwd). A 200 response containing 'root:.*:0:0:' confirms exploitation.
  • No authentication is required to trigger the vulnerability. Monitor for unauthenticated GET requests to the /api/downloads endpoint containing '../' traversal sequences in the fileName parameter.
  • Match HTTP 200 responses to /api/downloads requests that return Unix passwd file content (root:.*:0:0:) as a confirmation of successful local file inclusion.
  • ·The vulnerability affects Longjing Technology BEMS API versions up to and including 1.21. The traversal depth used in the PoC (8 levels: ../../../../../../../../) may need adjustment depending on the deployment path of the application.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.