CVE-2021-43936

CRITICAL EXPLOITED

WebHMI - Code Injection

Title source: llm

Description

The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the product's environment or lead to arbitrary code execution.

Exploits (2)

exploitdb WORKING POC

by Jeremiasz Pluta · pythonwebappsphp

https://www.exploit-db.com/exploits/50589

View Code ZIP pw:eip

nomisec WORKING POC 8 stars

by LongWayHomie · remote

https://github.com/LongWayHomie/CVE-2021-43936

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/165252/WebHMI-4.0-Remote-Code-Execution.html

[Patch, Third Party Advisory, US Government Resource] https://us-cert.cisa.gov/ics/advisories/icsa-21-336-03

Scores

CVSS v3 10.0

EPSS 0.2838

EPSS Percentile 96.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

VulnCheck KEV 2024-05-09

CWE

CWE-434

Status published

Products (1)

webhmi/webhmi_firmware < 4.1

Published Dec 06, 2021

Tracked Since Feb 18, 2026