{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/evolution-cms-3.1.6/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2021-47939"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Evolution CMS 3.1.6"],"_cs_severities":["high"],"_cs_tags":["cve","cve-2021-47939","rce","code-injection"],"_cs_type":"advisory","_cs_vendors":["Evolution CMS"],"content_html":"\u003cp\u003eEvolution CMS 3.1.6 is susceptible to a remote code execution (RCE) vulnerability, CVE-2021-47939. This flaw allows authenticated users who possess module creation privileges to inject arbitrary PHP code into module parameters. Successful exploitation enables attackers to execute system-level commands on the underlying server. The vulnerability stems from insufficient input validation during module creation, making it possible to inject and execute malicious PHP code through crafted POST requests. This poses a significant risk to organizations using Evolution CMS, potentially leading to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials for an Evolution CMS account with module creation permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request targeting \u003ccode\u003e/manager/index.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes malicious PHP code within the \u003ccode\u003epost\u003c/code\u003e parameter, designed to create a module.\u003c/li\u003e\n\u003cli\u003eThe injected PHP code is crafted to execute arbitrary system commands.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the malicious POST request to create the module.\u003c/li\u003e\n\u003cli\u003eThe newly created module, containing the injected PHP code, is saved on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes the newly created module, triggering the execution of the injected PHP code.\u003c/li\u003e\n\u003cli\u003eThe server executes the injected PHP code, allowing the attacker to run arbitrary system commands, potentially leading to complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2021-47939 allows an attacker to execute arbitrary system commands on the Evolution CMS server. This can lead to complete compromise of the system, including data theft, modification, or destruction. The attacker can potentially gain access to sensitive information, install malware, or use the compromised server as a staging ground for further attacks within the network. Given the high CVSS score of 8.8, this vulnerability poses a significant risk to organizations using affected versions of Evolution CMS.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a secure version of Evolution CMS to remediate CVE-2021-47939.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2021-47939 Exploitation Attempt via Malicious POST Request\u0026rdquo; to identify exploitation attempts based on the injection of PHP code in POST requests.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization measures to prevent code injection vulnerabilities in web applications.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/manager/index.php\u003c/code\u003e containing PHP code within the \u003ccode\u003epost\u003c/code\u003e parameter using the log source \u0026ldquo;webserver\u0026rdquo;.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-10T13:20:49Z","date_published":"2026-05-10T13:20:49Z","id":"https://feed.craftedsignal.io/briefs/2026-05-evolution-cms-rce/","summary":"Evolution CMS version 3.1.6 is vulnerable to remote code execution, where authenticated users with module creation permissions can inject PHP code into module parameters, allowing them to execute arbitrary system commands by sending POST requests to '/manager/index.php' with malicious PHP code in the 'post' parameter to create modules that execute arbitrary commands when invoked, as tracked by CVE-2021-47939.","title":"Evolution CMS Authenticated Remote Code Execution via Module Creation (CVE-2021-47939)","url":"https://feed.craftedsignal.io/briefs/2026-05-evolution-cms-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Evolution CMS 3.1.6","version":"https://jsonfeed.org/version/1.1"}