CVE-2021-46704

CRITICAL NUCLEI

GenieACS <1.2.8 - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-46704. PoCs published by MithatGuner, Erenlancaster. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC demonstrates a command injection vulnerability in GenieACS via the ping host argument, allowing unauthenticated remote code execution. It includes steps to validate the vulnerability and execute a reverse shell payload.

Description

In GenieACS 1.2.x before 1.2.8, the UI interface API is vulnerable to unauthenticated OS command injection via the ping host argument (lib/ui/api.ts and lib/ping.ts). The vulnerability arises from insufficient input validation combined with a missing authorization check.

Exploits (2)

nomisec WORKING POC 2 stars

by MithatGuner · poc

https://github.com/MithatGuner/CVE-2021-46704-POC

View Code ZIP pw:eip

This PoC demonstrates a command injection vulnerability in GenieACS via the ping host argument, allowing unauthenticated remote code execution. It includes steps to validate the vulnerability and execute a reverse shell payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GenieACS versions >=1.2.0 <1.2.8

No auth needed

Prerequisites: Network access to the target GenieACS instance · Target running vulnerable GenieACS version

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER

by Erenlancaster · poc

https://github.com/Erenlancaster/CVE-2021-46704

View Code ZIP pw:eip

This repository contains a Nuclei template for detecting CVE-2021-46704, an OS command injection vulnerability in GenieACS. It does not include exploit code but provides references and a detection method.

Classification

Scanner 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: GenieACS

No auth needed

Prerequisites: Access to the GenieACS interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

GenieACS => 1.2.8 - OS Command Injection

CRITICALVERIFIEDby DhiyaneshDK

Shodan: http.favicon.hash:-2098066288 || http.html:"genieacs"

FOFA: body="genieacs" || icon_hash=-2098066288

References (2)

Core 2

Core References

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/genieacs/genieacs/releases/tag/v1.2.8

Patch, Third Party Advisory x_refsource_misc

https://github.com/genieacs/genieacs/commit/7f295beeecc1c1f14308a93c82413bb334045af6

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.8693

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

genieacs/genieacs 1.2.0 - 1.2.8

npm/genieacs 0 - 1.2.8npm

Published Mar 06, 2022

Tracked Since Feb 18, 2026