{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/impresscms/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2021-47938"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ImpressCMS 1.4.2"],"_cs_severities":["high"],"_cs_tags":["code-injection","rce","impresscms"],"_cs_type":"advisory","_cs_vendors":["ImpressCMS"],"content_html":"\u003cp\u003eImpressCMS 1.4.2 is susceptible to a remote code execution vulnerability, identified as CVE-2021-47938, within the autotasks administrative interface. This flaw allows authenticated attackers to inject arbitrary PHP code by manipulating the \u003ccode\u003esat_code\u003c/code\u003e parameter. Successful exploitation allows attackers to execute arbitrary PHP commands on the targeted system, potentially leading to full system compromise. This vulnerability requires authentication, limiting the scope of potential attackers to those with valid credentials or those who can bypass authentication mechanisms. Defenders need to ensure proper input validation and access controls to prevent unauthorized code injection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the ImpressCMS application.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious POST request targeting \u003ccode\u003e/modules/system/admin.php?fct=autotasks\u0026amp;op=mod\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003esat_code\u003c/code\u003e parameter containing malicious PHP code.\u003c/li\u003e\n\u003cli\u003eThe application improperly processes the \u003ccode\u003esat_code\u003c/code\u003e parameter, leading to code injection.\u003c/li\u003e\n\u003cli\u003eThe injected code creates an executable file on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers execution of the created file via a GET request.\u003c/li\u003e\n\u003cli\u003eArbitrary PHP code is executed on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, potentially leading to further compromise of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2021-47938 allows attackers to execute arbitrary PHP code on the ImpressCMS server. This can lead to complete compromise of the application and the underlying system, including data theft, website defacement, or further propagation of attacks within the network. Given the high CVSS score of 8.8, this vulnerability poses a significant risk to organizations using the affected version of ImpressCMS.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation and sanitization to all user-supplied data, especially the \u003ccode\u003esat_code\u003c/code\u003e parameter, to prevent code injection (CVE-2021-47938).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule provided to detect malicious POST requests to \u003ccode\u003e/modules/system/admin.php\u003c/code\u003e with suspicious content in the \u003ccode\u003esat_code\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eEnsure that the ImpressCMS application is running with least privilege to limit the impact of successful code execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-10T13:20:36Z","date_published":"2026-05-10T13:20:36Z","id":"https://feed.craftedsignal.io/briefs/2026-05-impresscms-rce/","summary":"ImpressCMS 1.4.2 is vulnerable to remote code execution (RCE) via the autotasks administrative interface, where authenticated attackers can inject malicious PHP code into the sat_code parameter via a POST request to /modules/system/admin.php, leading to arbitrary PHP code execution through GET parameters (CVE-2021-47938).","title":"ImpressCMS 1.4.2 Remote Code Execution via Autotasks Interface (CVE-2021-47938)","url":"https://feed.craftedsignal.io/briefs/2026-05-impresscms-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — ImpressCMS","version":"https://jsonfeed.org/version/1.1"}