PT-2026-30817 · Tianxin · Tianxin Internet Behavior Management System
Published
2026-04-07
·
Updated
2026-04-19
·
CVE-2021-4473
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Tianxin Internet Behavior Management System versions prior to NACFirmware 4.0.0.7 20210716.180815 topsec 0 basic.bin
Description
The Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint. Unauthenticated attackers can execute arbitrary commands by supplying a crafted
objClass parameter containing shell metacharacters and output redirection. This allows attackers to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process. The Shadowserver Foundation first observed exploitation of this issue on 2024-06-01 (UTC).Recommendations
Update to version NACFirmware 4.0.0.7 20210716.180815 topsec 0 basic.bin
Exploit
Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tianxin Internet Behavior Management System