CVE-2021-47770
Published: 21 January 2026
Summary
CVE-2021-47770 is a high-severity Code Injection (CWE-94) vulnerability in Openplcproject (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prevents code injection vulnerability by validating and sanitizing uploaded custom hardware layer files in the configuration interface.
Restricts access to hardware configuration changes, preventing low-privilege authenticated users from uploading malicious layers.
Scans and blocks malicious code such as embedded reverse shells in uploaded hardware layers before execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2021-47770 enables exploitation of a public-facing application (OpenPLC hardware configuration interface) for initial access (T1190) and facilitates privilege escalation from low-privilege authenticated access to full remote code execution (T1068).
NVD Description
OpenPLC v3 contains an authenticated remote code execution vulnerability that allows attackers with valid credentials to inject malicious code through the hardware configuration interface. Attackers can upload a custom hardware layer with embedded reverse shell code that establishes a network…
more
connection to a specified IP and port, enabling remote command execution.
Deeper analysisAI
CVE-2021-47770 is an authenticated remote code execution vulnerability in OpenPLC v3, published on 2026-01-21. The flaw resides in the hardware configuration interface, where attackers with valid credentials can upload a custom hardware layer embedded with malicious reverse shell code. This code establishes a network connection to an attacker-specified IP and port, enabling arbitrary remote command execution. The vulnerability is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-94 (code injection).
Exploitation requires low-privilege authenticated access over the network, with low attack complexity and no user interaction needed. An attacker can achieve full remote code execution on the targeted OpenPLC v3 instance, potentially compromising the programmable logic controller (PLC) environment, exfiltrating data, modifying control logic, or disrupting operations.
Mitigation details are available in vendor and security advisories, including the OpenPLC project site (https://www.openplcproject.com/), GitHub repository (https://github.com/thiagoralves/OpenPLC_v3), VulnCheck advisory (https://www.vulncheck.com/advisories/openplc-remote-code-execution), and a public proof-of-concept exploit (https://www.exploit-db.com/exploits/49803). Practitioners should review these for patching instructions or configuration hardening to prevent unauthorized hardware layer uploads.
A public exploit is available on Exploit-DB, indicating potential for real-world abuse in industrial control system environments running OpenPLC v3.
Details
- CWE(s)