CVE-2021-4473
Published: 07 April 2026
Summary
CVE-2021-4473 is a critical-severity OS Command Injection (CWE-78) vulnerability in Topsecgroup Tianxin Internet Behavior Management System. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2021-4473 is a command injection vulnerability (CWE-78) in the Tianxin Internet Behavior Management System, specifically in the Reporter component endpoint. The flaw allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation enables attackers to write malicious PHP files into the web root, resulting in remote code execution with the privileges of the web server process.
The vulnerability has been fixed in version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Mitigation details are available in advisories from sources including Aliyun (AVD-2021-890232), CNVD (CNVD-2021-41972), and Vulncheck.
Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-01 (UTC). The CVE was published on 2026-04-07T13:16:44.540.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-34776
Vulnerability details
Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers can exploit this vulnerability…
more
to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process. This vulnerability has been fixed in version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-01 (UTC).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection (T1190) in public-facing Reporter endpoint enables arbitrary Unix shell execution (T1059.004) and writing PHP web shells to web root (T1505.003) for RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents command injection by requiring validation of the objClass parameter to reject shell metacharacters and output redirection.
AC-14 limits permitted actions without authentication, preventing unauthenticated attackers from accessing the vulnerable Reporter endpoint.
SI-2 requires timely flaw remediation by applying the fixed firmware version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin to eliminate the command injection vulnerability.