CVE-2020-21999

HIGH

iWT FaceSentry Access Control System 6.4.8 - Authenticated OS Command Injection via strInIP Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-21999. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit leverages an authenticated OS command injection vulnerability in FaceSentry Access Control System via the 'strInIP' parameter in pingTest.php. It uses default credentials to authenticate and then executes arbitrary commands as root.

Description

iWT Ltd FaceSentry Access Control System 6.4.8 suffers from an authenticated OS command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'strInIP' POST parameter in pingTest PHP script.

Exploits (1)

exploitdb WORKING POC
by LiquidWorm · pythonwebappshardware
https://www.exploit-db.com/exploits/47066

This exploit leverages an authenticated OS command injection vulnerability in FaceSentry Access Control System via the 'strInIP' parameter in pingTest.php. It uses default credentials to authenticate and then executes arbitrary commands as root.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: FaceSentry Access Control System (Firmware 6.4.8 build 264, 5.7.2 build 568, 5.7.0 build 539)
Auth required
Prerequisites: Network access to the target · Default credentials (admin:123, user:123, administrator:123456)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5525.php
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/47066

Scores

CVSS v3 8.8
EPSS 0.0524
EPSS Percentile 91.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (3)
iwt/facesentry_access_control_system_firmware 5.7.0
iwt/facesentry_access_control_system_firmware 5.7.2
iwt/facesentry_access_control_system_firmware 6.4.8
Published May 04, 2021
Tracked Since Feb 18, 2026