Cyber Resilience

CVE-2021-47745

HighPublic PoCRCE

Published: 31 December 2025

Published
31 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0119 63.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2021-47745 is a high-severity OS Command Injection (CWE-78) vulnerability in Bc (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 36.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-47745 is an authenticated command injection vulnerability in Cypress Solutions CTM-200 version 2.7.1. The flaw exists in the firmware upgrade script, ctm-config-upgrade.sh, where the 'fw_url' parameter fails to properly sanitize input, allowing remote attackers to inject and execute arbitrary shell commands with root privileges. Classified under CWE-78 (OS Command Injection), it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Attackers require low-privilege authenticated access (PR:L) to exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables execution of arbitrary commands as root, granting high-impact control over confidentiality, integrity, and availability (C:H/I:H/A:H) without changing the scope (S:U), potentially leading to full system compromise.

Advisories and related resources, including those from Cypress Solutions (https://www.cypress.bc.ca), Exploit-DB (https://www.exploit-db.com/exploits/50408), VulnCheck (https://www.vulncheck.com/advisories/cypress-solutions-ctm-root-remote-os-command-injection-via-firmware-upgrade), and Zero Science Lab (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5687.php), provide further details on patches and mitigation strategies.

A proof-of-concept exploit is publicly available on Exploit-DB, highlighting the vulnerability's exploitability in real-world scenarios.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Cypress Solutions CTM-200 2.7.1 contains an authenticated command injection vulnerability in the firmware upgrade script that allows remote attackers to execute shell commands. Attackers can exploit the 'fw_url' parameter in the ctm-config-upgrade.sh script to inject and execute arbitrary commands with…

more

root privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Authenticated remote OS command injection in firmware upgrade script enables exploitation of remote services (T1210) to execute arbitrary Unix shell commands (T1059.004) as root, facilitating privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34792Shared CWE-78
CVE-2025-45378Shared CWE-78
CVE-2026-34005Shared CWE-78
CVE-2026-6644Shared CWE-78
CVE-2021-47747Shared CWE-78
CVE-2018-25143Shared CWE-78
CVE-2025-64120Shared CWE-78
CVE-2025-56113Shared CWE-78
CVE-2017-20215Shared CWE-78
CVE-2025-66212Shared CWE-78

Affected Assets

Bc
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires input validation mechanisms for the 'fw_url' parameter to block OS command injection in ctm-config-upgrade.sh.

prevent

Mandates identification, reporting, and correction of the specific command injection flaw via firmware patching.

prevent

Enforces least privilege on the firmware upgrade process to limit damage from injected commands even if validation fails.

References