Cyber Resilience

CVE-2021-47752

HighPublic PoCDDoS

Published: 15 January 2026

Published
15 January 2026
Modified
23 January 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0049 38.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2021-47752 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Sylkat-Tools Awebserver. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 38.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2021-47752 is a denial-of-service vulnerability in AWebServer GhostBuilding 18, stemming from CWE-770 (allocation of resources without limits or throttling). The flaw allows remote attackers to overwhelm the server through multiple concurrent HTTP requests, targeting endpoints such as /mysqladmin, which can crash the service or render it unresponsive. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high availability impact with network accessibility and no prerequisites.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity by generating high-volume concurrent requests to affected endpoints. Successful exploitation results in server resource exhaustion, leading to denial of service through crashes or unresponsiveness, without impacting confidentiality or integrity.

References include the AWebServer project page at http://sylkat-tools.rf.gd/awebserver.htm, its Google Play listing at https://play.google.com/store/apps/details?id=com.sylkat.apache&hl=en, and a proof-of-concept exploit at https://www.exploit-db.com/exploits/50629. No specific patches or mitigation steps are detailed in the provided information.

EU & UK References

Vulnerability details

AWebServer GhostBuilding 18 contains a denial of service vulnerability that allows remote attackers to overwhelm the server by sending multiple concurrent HTTP requests. Attackers can generate high-volume requests to multiple endpoints including /mysqladmin to potentially crash or render the service…

more

unresponsive.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE directly describes remote exploitation of an application resource exhaustion flaw (CWE-770) to crash or render the service unavailable, matching T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2021-47877Shared CWE-770
CVE-2021-47784Shared CWE-770
CVE-2021-47793Shared CWE-770
CVE-2021-47895Shared CWE-770
CVE-2026-23490Shared CWE-770
CVE-2026-31866Shared CWE-770
CVE-2026-33260Shared CWE-770
CVE-2026-33012Shared CWE-770
CVE-2026-5438Shared CWE-770
CVE-2024-57662Shared CWE-770

Affected Assets

sylkat-tools
awebserver
18

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-5 implements denial-of-service protections specifically designed to counter resource exhaustion from high-volume concurrent HTTP requests as exploited in this CVE.

prevent

SC-6 protects resource availability by enforcing limits and throttling on resource allocation to prevent the server overwhelm and crashes caused by unconstrained concurrent requests.

prevent

SC-7 provides boundary protection mechanisms such as rate limiting and traffic filtering to block excessive concurrent requests before they exhaust server resources.

References