CVE-2021-46704

CRITICAL NUCLEI

GenieACS <1.2.8 - Command Injection

Title source: llm

Description

In GenieACS 1.2.x before 1.2.8, the UI interface API is vulnerable to unauthenticated OS command injection via the ping host argument (lib/ui/api.ts and lib/ping.ts). The vulnerability arises from insufficient input validation combined with a missing authorization check.

Exploits (2)

nomisec WORKING POC 2 stars

by MithatGuner · poc

https://github.com/MithatGuner/CVE-2021-46704-POC

View Code ZIP pw:eip

nomisec SCANNER

by Erenlancaster · poc

https://github.com/Erenlancaster/CVE-2021-46704

View Code ZIP pw:eip

Nuclei Templates (1)

GenieACS => 1.2.8 - OS Command Injection

CRITICALVERIFIEDby DhiyaneshDK

Shodan: http.favicon.hash:-2098066288 || http.html:"genieacs"

FOFA: body="genieacs" || icon_hash=-2098066288

References (2)

[Patch, Third Party Advisory] https://github.com/genieacs/genieacs/commit/7f295beeecc1c1f14308a93c82413bb334045af6

[Release Notes, Third Party Advisory] https://github.com/genieacs/genieacs/releases/tag/v1.2.8

Scores

CVSS v3 9.8

EPSS 0.8693

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

genieacs/genieacs 1.2.0 - 1.2.8

npm/genieacs 0 - 1.2.8npm

Published Mar 06, 2022

Tracked Since Feb 18, 2026