CVE-2021-4473
published 2026-04-07CVE-2021-4473: Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
6.17%
92.6th percentile
Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers can exploit this vulnerability to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process. This vulnerability has been fixed in version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-01 (UTC).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| beijing_topsec_network_security_technology_co_ltd | tianxin_internet_behavior_management_system | < 4.0.0.7_20210716.180815 | 4.0.0.7_20210716.180815 |
| topsecgroup | tianxin_internet_behavior_management_system | < 4.0.0.7_20210716.180815 | 4.0.0.7_20210716.180815 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qr68-g3cq-vhr2: Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated
ghsa_unreviewed·2026-04-07
CVE-2021-4473 [CRITICAL] CWE-78 GHSA-qr68-g3cq-vhr2: Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated
Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers can exploit this vulnerability to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process. This vulnerability has been fixed in version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-01 (UTC).
VulnCheck
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2021·CVSS 9.3
CVE-2021-4473 [CRITICAL] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers can exploit this vulnerability to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process. This vulnerability has been fixed in version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-01 (UTC).
Affected: Beijing Topsec Network Security Technology Co.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-07
Published
Exploited in the wild