{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/schlix/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2021-47964"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CMS"],"_cs_severities":["critical"],"_cs_tags":["CVE-2021-47964","rce","schlix cms","php"],"_cs_type":"advisory","_cs_vendors":["Schlix"],"content_html":"\u003cp\u003eCVE-2021-47964 is a remote code execution (RCE) vulnerability affecting Schlix CMS version 2.2.6-6. This flaw allows authenticated attackers to inject and execute arbitrary PHP code on the target system. The attack vector involves uploading a malicious extension package disguised as a ZIP file via the block manager functionality. The injected PHP code, typically embedded within the packageinfo.inc file of the extension, is then executed when an administrator accesses the \u0026ldquo;About\u0026rdquo; tab of the newly installed extension. Exploitation grants the attacker the ability to execute commands on the web server, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the Schlix CMS application.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the block manager interface within the CMS.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP file containing a PHP file, commonly named \u003ccode\u003epackageinfo.inc\u003c/code\u003e, with the injected PHP code intended for execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious ZIP file as a new extension through the block manager.\u003c/li\u003e\n\u003cli\u003eThe Schlix CMS processes the uploaded ZIP file and installs the \u0026ldquo;extension\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026ldquo;About\u0026rdquo; tab of the installed extension through the CMS interface.\u003c/li\u003e\n\u003cli\u003eAccessing the \u0026ldquo;About\u0026rdquo; tab triggers the execution of the injected PHP code within the \u003ccode\u003epackageinfo.inc\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution on the server, potentially leading to complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2021-47964 allows an authenticated attacker to execute arbitrary PHP code on the affected Schlix CMS server. This can lead to complete system compromise, data theft, website defacement, or further lateral movement within the network. Given the ease of exploitation and the severity of the impact, organizations using Schlix CMS 2.2.6-6 are at significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Schlix CMS that addresses CVE-2021-47964, if available.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2021-47964 Exploitation — Malicious Extension Upload\u0026rdquo; to detect attempts to upload malicious ZIP files containing PHP code via the block manager.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the block manager interface (\u003ccode\u003e/admin/\u003c/code\u003e) with suspicious ZIP file uploads, as indicated in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit who can upload and install extensions within the Schlix CMS environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T19:19:56Z","date_published":"2026-05-15T19:19:56Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2021-47964-schlix-rce/","summary":"Schlix CMS 2.2.6-6 contains a remote code execution vulnerability, tracked as CVE-2021-47964, allowing authenticated attackers to execute arbitrary PHP code by uploading malicious extension packages through the block manager and triggering execution by accessing the 'About' tab.","title":"CVE-2021-47964: Schlix CMS Remote Code Execution via Malicious Extension Upload","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2021-47964-schlix-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Schlix","version":"https://jsonfeed.org/version/1.1"}