CVE-2021-47777
Published: 15 January 2026
Summary
CVE-2021-47777 is a high-severity SQL Injection (CWE-89) vulnerability in Ribccs (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2021-47777 is an unauthenticated SQL injection vulnerability affecting Build Smart ERP version 21.0817, specifically in the 'eidValue' parameter of the login validation endpoint. This flaw, classified under CWE-89, allows attackers to inject stacked SQL queries, such as ';WAITFOR DELAY '0:0:3'--, enabling manipulation of database operations. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to its potential for significant confidentiality impact with low integrity impact and no availability disruption.
Any unauthenticated attacker with network access can exploit this vulnerability by sending crafted requests to the login validation endpoint, requiring no privileges or user interaction. Successful exploitation allows manipulation of database queries, potentially leading to extraction or modification of sensitive database information, as demonstrated by the stacked query payload that introduces delays or further commands.
Advisories and additional details are available through references including the vendor solution page at https://ribccs.com/solutions/solution-buildsmart and a proof-of-concept exploit at https://www.exploit-db.com/exploits/50445.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2758
Vulnerability details
Build Smart ERP 21.0817 contains an unauthenticated SQL injection vulnerability in the 'eidValue' parameter of the login validation endpoint. Attackers can inject stacked SQL queries using payloads like ';WAITFOR DELAY '0:0:3'-- to manipulate database queries and potentially extract or modify…
more
database information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote SQL injection in a public-facing ERP login endpoint directly enables T1190 (Exploit Public-Facing Application) for database manipulation and data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by requiring validation of untrusted inputs such as the 'eidValue' parameter in the login endpoint before database query execution.
Mandates identification, reporting, and correction of flaws like this unauthenticated SQL injection vulnerability in the application.
Facilitates detection of SQL injection vulnerabilities through vulnerability scanning, enabling timely remediation of issues like CVE-2021-47777.