CVE-2020-21999

HIGH

IWT Facesentry Access Control System Firmware - OS Command Injection

Title source: rule

Description

iWT Ltd FaceSentry Access Control System 6.4.8 suffers from an authenticated OS command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'strInIP' POST parameter in pingTest PHP script.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · pythonwebappshardware

https://www.exploit-db.com/exploits/47066

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5525.php

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/47066

Scores

CVSS v3 8.8

EPSS 0.2029

EPSS Percentile 95.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (3)

iwt/facesentry_access_control_system_firmware 5.7.0

iwt/facesentry_access_control_system_firmware 5.7.2

iwt/facesentry_access_control_system_firmware 6.4.8

Published May 04, 2021

Tracked Since Feb 18, 2026