CVE-2021-46354

HIGH

Thinfinity VirtualUI <3.0 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-46354. PoCs published by Daniel Morales.

AI-analyzed exploit summary This is a writeup describing an SSRF vulnerability in Thinfinity VirtualUI versions prior to 2.5.26.2. The vulnerability allows an attacker to induce the application to interact with arbitrary external services, potentially leaking the real IP of the webserver or bypassing CDN protections.

Description

Thinfinity VirtualUI 2.1.28.0, 2.1.32.1 and 2.5.26.2, fixed in version 3.0 is affected by an information disclosure vulnerability in the parameter "Addr" in cmd site. The ability to send requests to other systems can allow the vulnerable server to filtrate the real IP of the web server or increase the attack surface.

Exploits (1)

exploitdb WRITEUP

by Daniel Morales · textwebappsmultiple

https://www.exploit-db.com/exploits/50771

View Code ZIP pw:eip

This is a writeup describing an SSRF vulnerability in Thinfinity VirtualUI versions prior to 2.5.26.2. The vulnerability allows an attacker to induce the application to interact with arbitrary external services, potentially leaking the real IP of the webserver or bypassing CDN protections.

Classification

Writeup 90%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Thinfinity VirtualUI < 2.5.26.2

No auth needed

Prerequisites: Network access to the vulnerable Thinfinity VirtualUI instance

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_misc

http://thinfinity.com

Third Party Advisory x_refsource_misc

https://github.com/cybelesoft/virtualui/issues/3

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/166069/Thinfinity-VirtualUI-2.5.26.2-Information-Disclosure.html

Scores

CVSS v3 7.5

EPSS 0.1555

EPSS Percentile 96.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-668

Status published

Products (3)

cybelesoft/thinfinity_virtualui 2.1.28.0

cybelesoft/thinfinity_virtualui 2.1.32.1

cybelesoft/thinfinity_virtualui 2.5.26.2

Published Feb 09, 2022

Tracked Since Feb 18, 2026