Cyber Resilience

CVE-2021-47858

MediumPublic PoC

Published: 21 January 2026

Published
21 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0005 16.7th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-47858 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Genexis Platinum-4410 P4410-V2-1 (inferred from references). Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2021-47858 is a stored cross-site scripting (XSS) vulnerability affecting the Genexis Platinum-4410 router running firmware version P4410-V2-1.31A. The flaw resides in the 'start_addr' parameter of the Security Management interface, where attackers can inject malicious scripts via the start source address field. These scripts persist in the system and execute when privileged users access the security management page, as classified under CWE-79 with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

The vulnerability can be exploited remotely by unauthenticated attackers (PR:N) over the network (AV:N) with low complexity and no user interaction required. Successful exploitation allows attackers to execute arbitrary JavaScript in the browser context of privileged users viewing the affected page, potentially leading to session hijacking, data theft, or further compromise within the scoped impact (S:C), affecting low levels of confidentiality and integrity.

Advisories and references, including those from VulnCheck and Exploit-DB, detail the issue and provide a public proof-of-concept exploit at https://www.exploit-db.com/exploits/49709. The Genexis product page at https://genexis.eu/product/platinum-series/ offers context on the affected hardware, though specific patch details are not outlined in available information.

A public exploit is available, indicating potential for widespread testing or abuse against unpatched devices.

EU & UK References

Vulnerability details

Genexis Platinum-4410 P4410-V2-1.31A contains a stored cross-site scripting vulnerability in the 'start_addr' parameter of the Security Management interface. Attackers can inject malicious scripts through the start source address field that will persist and trigger for privileged users when they access…

more

the security management page.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stored XSS in public router web interface directly enables remote exploitation of a public-facing application without authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47873Shared CWE-79
CVE-2026-7052Shared CWE-79
CVE-2024-56060Shared CWE-79
CVE-2025-49043Shared CWE-79
CVE-2026-40038Shared CWE-79
CVE-2024-56022Shared CWE-79
CVE-2025-68889Shared CWE-79
CVE-2026-1074Shared CWE-79
CVE-2025-22539Shared CWE-79
CVE-2025-22286Shared CWE-79

Affected Assets

Genexis
Platinum-4410 P4410-V2-1
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks persistent injection of malicious scripts into the start_addr field by validating all inputs before storage.

prevent

Filters script content when the stored start_addr value is rendered on the Security Management page for privileged users.

SC-18 Mobile Code partial match
prevent

Restricts use and execution of mobile code (JavaScript) within the web interface, limiting the impact of stored XSS payloads.

References