CVE-2021-4466
HIGHIPCop <2.1.9 - Authenticated RCE
Title source: llmDescription
IPCop versions up to and including 2.1.9 contain an authenticated remote code execution vulnerability within the web-based administration interface. The email configuration component inserts user-controlled values, including the EMAIL_PW parameter, directly into system-level operations without proper input sanitation. By modifying the email password field to include shell metacharacters and issuing a save-and-test-mail action, an authenticated attacker can execute arbitrary operating system commands with the privileges of the web interface, resulting in full system compromise.
Exploits (1)
exploitdb
WORKING POC
by Mücahit Saratar · pythonwebappscgi
https://www.exploit-db.com/exploits/50183
Scores
CVSS v4
8.7
EPSS
0.0036
EPSS Percentile
58.0%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Details
CWE
CWE-78
Status
published
Products (1)
IPCop Project/IPCop
< 2.1.9
Published
Nov 14, 2025
Tracked Since
Feb 18, 2026