CVE-2021-45092

CRITICAL EXPLOITED NUCLEI

Thinfinity VirtualUI <3.0 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-45092 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Daniel Morales. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit describes an IFRAME injection vulnerability in Thinfinity VirtualUI versions prior to 3.0. The vulnerability allows an attacker to embed external websites via a crafted URL parameter, potentially leading to phishing or other attacks.

Description

Thinfinity VirtualUI before 3.0 has functionality in /lab.html reachable by default that could allow IFRAME injection via the vpath parameter.

Exploits (1)

exploitdb WRITEUP
by Daniel Morales · textwebappsmultiple
https://www.exploit-db.com/exploits/50770

This exploit describes an IFRAME injection vulnerability in Thinfinity VirtualUI versions prior to 3.0. The vulnerability allows an attacker to embed external websites via a crafted URL parameter, potentially leading to phishing or other attacks.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Thinfinity VirtualUI < v3.0
No auth needed
Prerequisites: Access to a vulnerable Thinfinity VirtualUI instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Thinfinity Iframe Injection
CRITICALby danielmofer
Shodan: http.title:"thinfinity virtualui"
FOFA: title="thinfinity virtualui"

References (2)

Core 2
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/cybelesoft/virtualui/issues/2

Scores

CVSS v3 9.8
EPSS 0.3997
EPSS Percentile 98.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-01-22
Status published
Products (1)
cybelesoft/thinfinity_virtualui < 3.0
Published Dec 16, 2021
Tracked Since Feb 18, 2026