CVE-2021-47816

HIGH

Thecus N4800Eco - Command Injection

Title source: llm

Description

Thecus N4800Eco NAS Server Control Panel contains a command injection vulnerability that allows authenticated attackers to execute arbitrary system commands through user management endpoints. Attackers can inject commands via username and batch user creation parameters to execute shell commands with administrative privileges.

Exploits (1)

exploitdb WORKING POC

by Metin Yunus Kandemir · pythonwebappshardware

https://www.exploit-db.com/exploits/49926

View Code ZIP pw:eip

References (5)

[Various Sources] http://www.thecus.com/product.php?PROD_ID=83

[Various Sources] https://docs.unsafe-inline.com/0day/thecus-n4800eco-nas-server-control-panel-comand-injection

[Various Sources] http://www.thecus.com/

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/49926

[Third Party Advisory] https://www.vulncheck.com/advisories/thecus-neco-nas-server-control-panel-command-injection

Scores

CVSS v3 8.8

EPSS 0.0008

EPSS Percentile 24.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Published Jan 16, 2026

Tracked Since Feb 18, 2026