CVE-2021-35047
CRITICALFidelis Network & Deception <9.3.7, 9.4 - Command Injection
Title source: llmDescription
Vulnerability in the CommandPost, Collector, and Sensor components of Fidelis Network and Deception enables an attacker with user level access to the CLI to inject root level commands into the component and neighboring Fidelis components. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.7 and in version 9.4. Patches and updates are available to address this vulnerability.
References (2)
Core 2
Core References
Permissions Required, Vendor Advisory x_refsource_confirm
https://support.fidelissecurity.com/hc/en-us/categories/360001842694-Advisories-News-and-Policies
Exploit, Third Party Advisory x_refsource_misc
https://www.securifera.com/blog/2021/06/24/operation-eagle-eye/
Scores
CVSS v3
9.9
EPSS
0.0164
EPSS Percentile
73.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (4)
fidelissecurity/deception
9.4
fidelissecurity/deception
< 9.3.7
fidelissecurity/network
9.4
fidelissecurity/network
< 9.3.7
Published
Jun 25, 2021
Tracked Since
Feb 18, 2026