CVE-2021-26472
CRITICALVembu BDR Suite and OffsiteDR < 4.2.0.1 - Unauthenticated OS Command Injection via Download API
Title source: llmDescription
In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 installed on Windows, the http API located at /consumerweb/secure/download.php. Using this command argument an unauthenticated attacker can execute arbitrary OS commands with SYSTEM privileges.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://csirt.divd.nl/cases/DIVD-2020-00011/
Third Party Advisory x_refsource_confirm
https://csirt.divd.nl/2021/05/11/Vembu-zero-days/
Broken Link, Third Party Advisory x_refsource_confirm
https://www.wbsec.nl/vembu
Third Party Advisory x_refsource_confirm
https://csirt.divd.nl/cves/CVE-2021-26472/
Scores
CVSS v3
10.0
EPSS
0.0246
EPSS Percentile
82.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (2)
vembu/bdr_suite
< 4.2.0.1
vembu/offsite_dr
< 4.2.0.1
Published
Jun 08, 2021
Tracked Since
Feb 18, 2026