PT-2025-47017 · Ipcop · Ipcop
Mücahit Saratar
·
Published
2025-11-14
·
Updated
2025-11-15
·
CVE-2021-4466
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
IPCop versions up to and including 2.1.9
Description
IPCop versions up to and including 2.1.9 have an issue allowing authenticated remote code execution within the web-based administration interface. The email configuration component inserts user-controlled values, including the
EMAIL PW parameter, directly into system-level operations without proper input sanitation. An attacker can execute arbitrary operating system commands with the privileges of the web interface by modifying the email password field to include shell metacharacters and issuing a save-and-test-mail action, potentially leading to full system compromise.Recommendations
Update to a version later than 2.1.9.
Exploit
Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ipcop