CVE-2021-47752
Published: 15 January 2026
Summary
CVE-2021-47752 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Sylkat-Tools Awebserver. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 38.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2021-47752 is a denial-of-service vulnerability in AWebServer GhostBuilding 18, stemming from CWE-770 (allocation of resources without limits or throttling). The flaw allows remote attackers to overwhelm the server through multiple concurrent HTTP requests, targeting endpoints such as /mysqladmin, which can crash the service or render it unresponsive. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high availability impact with network accessibility and no prerequisites.
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity by generating high-volume concurrent requests to affected endpoints. Successful exploitation results in server resource exhaustion, leading to denial of service through crashes or unresponsiveness, without impacting confidentiality or integrity.
References include the AWebServer project page at http://sylkat-tools.rf.gd/awebserver.htm, its Google Play listing at https://play.google.com/store/apps/details?id=com.sylkat.apache&hl=en, and a proof-of-concept exploit at https://www.exploit-db.com/exploits/50629. No specific patches or mitigation steps are detailed in the provided information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2786
Vulnerability details
AWebServer GhostBuilding 18 contains a denial of service vulnerability that allows remote attackers to overwhelm the server by sending multiple concurrent HTTP requests. Attackers can generate high-volume requests to multiple endpoints including /mysqladmin to potentially crash or render the service…
more
unresponsive.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly describes remote exploitation of an application resource exhaustion flaw (CWE-770) to crash or render the service unavailable, matching T1499.004 Application or System Exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-5 implements denial-of-service protections specifically designed to counter resource exhaustion from high-volume concurrent HTTP requests as exploited in this CVE.
SC-6 protects resource availability by enforcing limits and throttling on resource allocation to prevent the server overwhelm and crashes caused by unconstrained concurrent requests.
SC-7 provides boundary protection mechanisms such as rate limiting and traffic filtering to block excessive concurrent requests before they exhaust server resources.