CVE-2021-33357
CRITICAL EXPLOITED IN THE WILD NUCLEIRaspAP 2.6-2.6.5 - Unauthenticated OS Command Injection via iface GET Parameter
Title source: llmExploitation Summary
CVE-2021-33357 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). A Nuclei detection template is also available.
Description
A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands.
Nuclei Templates (1)
RaspAP <=2.6.5 - Remote Command Injection
CRITICALby pikpikcu,pdteam
Shodan:
http.favicon.hash:-1465760059
FOFA:
icon_hash=-1465760059
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/RaspAP/raspap-webgui/blob/master/ajax/networking/get_netcfg.php
Third Party Advisory x_refsource_misc
https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf
Scores
CVSS v3
9.8
EPSS
0.1790
EPSS Percentile
96.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2021-12-21
InTheWild.io
2021-12-21
CWE
CWE-78
Status
published
Products (1)
raspap/raspap
2.6 - 2.6.5
Published
Jun 09, 2021
Tracked Since
Feb 18, 2026