CVE-2021-47849
Published: 21 January 2026
Summary
CVE-2021-47849 is a high-severity Path Traversal (CWE-22) vulnerability in Yodinfo Mini Mouse. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 46.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2021-47849 is a path traversal vulnerability in Mini Mouse version 9.3.0, a remote control application available on the Apple App Store. The flaw affects the device information endpoint, where attackers can manipulate file path parameters in API requests to access sensitive system directories such as /usr, /etc, and /var, enabling retrieval of file lists from these locations. Mapped to CWE-22, it carries a CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating medium severity with high confidentiality impact but no integrity or availability disruption.
Local attackers can exploit this vulnerability without privileges or user interaction, as the low attack complexity and local vector (AV:L) suggest access to the same system or device running the affected application. Successful exploitation allows reading arbitrary files from protected directories, potentially exposing configuration data, credentials, or other sensitive information stored in /etc, /usr, or /var, which could aid further attacks like privilege escalation or lateral movement.
Advisories from Vulncheck detail the local file inclusion via path traversal, while Exploit-DB hosts a proof-of-concept exploit (ID 49747) demonstrating the issue. No specific patches are mentioned in the provided references, but practitioners should verify updates via the application's App Store listing and avoid version 9.3.0 on affected devices.
A public exploit is available on Exploit-DB, indicating potential for real-world abuse by local adversaries targeting macOS or iOS environments where Mini Mouse is installed.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3642
Vulnerability details
Mini Mouse 9.3.0 contains a path traversal vulnerability that allows attackers to access sensitive system directories through the device information endpoint. Attackers can retrieve file lists from system directories like /usr, /etc, and /var by manipulating file path parameters in…
more
API requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal directly enables local file/directory enumeration and data retrieval from sensitive system paths.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks manipulation of file path parameters in the device information endpoint before path traversal occurs.
Enforces access rules on file system objects so that even a traversed path cannot retrieve contents of /etc, /usr or /var.
Limits the Mini Mouse process to the minimum set of directories, reducing the impact of any successful path traversal.