CVE-2021-47728

CriticalPublic PoCRCE

Published: 09 December 2025

Published

09 December 2025

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0162 82.0th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-47728 is a critical-severity OS Command Injection (CWE-78) vulnerability in Selea Carplateserver. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-8 (Identification and Authentication (Non-organizational Users)).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by requiring validation and sanitization of untrusted inputs like the 'addr' and 'port' parameters in utils.php.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Requires identification and authentication for non-organizational users, blocking unauthenticated remote exploitation of the vulnerability.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Limits permitted actions without identification or authentication, preventing exposure of the vulnerable utils.php endpoint to unauthorized remote attackers.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated remote command injection in a public-facing web application (IP camera utils.php) directly enables T1190 for initial access and T1059.004 for arbitrary Unix shell command execution as www-data.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Selea Targa IP OCR-ANPR Camera contains an unauthenticated command injection vulnerability in utils.php that allows remote attackers to execute arbitrary shell commands. Attackers can exploit the 'addr' and 'port' parameters to inject commands and gain www-data user access through chained…

local file inclusion techniques.

Deeper analysisAI

CVE-2021-47728 is an unauthenticated command injection vulnerability (CWE-78) affecting the Selea Targa IP OCR-ANPR Camera, specifically in the utils.php component. Remote attackers can exploit the 'addr' and 'port' parameters to inject and execute arbitrary shell commands, leveraging chained local file inclusion techniques to gain access as the www-data user. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.

Any remote attacker can exploit this vulnerability without authentication, requiring no privileges, user interaction, or special conditions. Successful exploitation allows execution of arbitrary shell commands on the device, potentially leading to full compromise including high confidentiality, integrity, and availability impacts as reflected in the CVSS score.

Advisories and references, including those from Zeroscience (ZSL-2021-5620), Vulncheck, and Exploit-DB (exploit 49460), provide technical details and a proof-of-concept, while the vendor site at Selea.com is listed for potential updates. No specific patch or mitigation details are outlined in the available information.