CVE-2021-42071

CRITICAL EXPLOITED IN THE WILD NUCLEI

Visual Tools DVR VX16 4.2.28.0 - Unauthenticated Remote Command Execution via User-Agent Header

Title source: llm

Exploitation Summary

CVE-2021-42071 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit from researchers including Andrea D\'Ubaldo. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated OS command injection vulnerability in Visual Tools DVR VX16 4.2.28.0. It leverages a malformed User-Agent header to inject arbitrary commands, resulting in remote code execution.

Description

In Visual Tools DVR VX16 4.2.28.0, an unauthenticated attacker can achieve remote command execution via shell metacharacters in the cgi-bin/slogin/login.py User-Agent HTTP header.

Exploits (1)

exploitdb WORKING POC

by Andrea D\'Ubaldo · textwebappsmultiple

https://www.exploit-db.com/exploits/50098

View Code ZIP pw:eip

This exploit demonstrates an unauthenticated OS command injection vulnerability in Visual Tools DVR VX16 4.2.28.0. It leverages a malformed User-Agent header to inject arbitrary commands, resulting in remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Visual Tools DVR VX16 v4.2.28.0

No auth needed

Prerequisites: Network access to the target device · Target device running vulnerable software

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1202 - Indirect Command Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Visual Tools DVR VX16 4.2.28.0 - Unauthenticated OS Command Injection

CRITICALby gy741

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/50098

Vendor Advisory x_refsource_misc

https://visual-tools.com/

Exploit, Third Party Advisory x_refsource_misc

https://www.swascan.com/security-advisory-visual-tools-dvr-cve-2021-42071/

Scores

CVSS v3 9.8

EPSS 0.6988

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-03-06

InTheWild.io 2021-09-30

CWE

CWE-78

Status published

Products (1)

visual-tools/dvr_vx16_firmware 4.2.28.0

Published Oct 07, 2021

Tracked Since Feb 18, 2026