Cyber Resilience

CVE-2021-47816

MediumPublic PoC

Published: 16 January 2026

Published
16 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0163 73.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2021-47816 is a medium-severity OS Command Injection (CWE-78) vulnerability in Thecus N4800Eco NAS (inferred from references). Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-47816 is a command injection vulnerability (CWE-78) in the Thecus N4800Eco NAS Server Control Panel. It affects user management endpoints, where attackers can inject commands via username and batch user creation parameters, enabling execution of arbitrary shell commands with administrative privileges. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.

Authenticated attackers with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows execution of arbitrary system commands as an administrator, potentially leading to full control over the NAS device, including data exfiltration, modification, or deletion, as well as disruption of services.

Advisories and references, including those from VulnCheck and Exploit-DB, document the issue with a proof-of-concept exploit available at https://www.exploit-db.com/exploits/49926. Vendor pages at http://www.thecus.com/ and http://www.thecus.com/product.php?PROD_ID=83 provide product details, while https://docs.unsafe-inline.com/0day/thecus-n4800eco-nas-server-control-panel-comand-injection and https://www.vulncheck.com/advisories/thecus-neco-nas-server-control-panel-command-injection offer further technical analysis; no specific patch details are outlined in the provided information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Thecus N4800Eco NAS Server Control Panel contains a command injection vulnerability that allows authenticated attackers to execute arbitrary system commands through user management endpoints. Attackers can inject commands via username and batch user creation parameters to execute shell commands with…

more

administrative privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Command injection in network-accessible NAS control panel directly enables remote exploitation of public-facing app (T1190) for Unix shell command execution (T1059.004) and privilege escalation from low-priv to admin (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27635Shared CWE-78
CVE-2025-56077Shared CWE-78
CVE-2026-28773Shared CWE-78
CVE-2025-56102Shared CWE-78
CVE-2026-24841Shared CWE-78
CVE-2026-26943Shared CWE-78
CVE-2025-56094Shared CWE-78
CVE-2026-28507Shared CWE-78
CVE-2025-56098Shared CWE-78
CVE-2025-60957Shared CWE-78

Affected Assets

Thecus
N4800Eco NAS
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection vulnerability by requiring validation of untrusted inputs like username and batch user creation parameters in the NAS control panel.

prevent

Ensures timely identification, reporting, and correction of the specific command injection flaw in the Thecus N4800Eco control panel.

prevent

Limits damage from injected administrative shell commands by enforcing least privilege on control panel processes and users.

References