Attack Chain

1. An unauthenticated attacker accesses the careers/job application endpoint of an OpenCATS 0.9.4 instance.
2. The attacker crafts a malicious PHP file containing the desired payload (e.g., a reverse shell or command execution).
3. The attacker disguises the PHP file as a resume attachment (e.g., by changing the file extension or embedding it within a PDF).
4. The attacker uploads the malicious file through the job application form.
5. The OpenCATS application saves the uploaded file to the server’s upload directory (location varies based on configuration).
6. The attacker identifies the location and filename of the uploaded file.
7. The attacker sends a POST request to the uploaded PHP file, including the system commands to be executed in the request body.
8. The server executes the commands specified in the POST request, enabling the attacker to achieve remote code execution.

Impact

Successful exploitation of CVE-2021-47936 allows unauthenticated attackers to execute arbitrary commands on the OpenCATS server. This can lead to complete system compromise, data theft, and denial of service. Given the nature of OpenCATS, a recruitment applicant tracking system, the impact includes exposure of sensitive applicant data. Since the exploit is unauthenticated, any OpenCATS 0.9.4 instance exposed to the internet is at risk.

Recommendation

• Apply available patches or upgrade to a supported version of OpenCATS to remediate CVE-2021-47936.
• Implement strict file type validation on all file upload endpoints, blocking the upload of executable files (e.g., PHP, ASP, JSP).
• Monitor web server logs for suspicious POST requests targeting files in the upload directory as detected by the Sigma rule “Detect OpenCATS RCE via Resume Upload”.
• Deploy the Sigma rules in this brief to your SIEM and tune for your environment.