CVE-2021-4473 CRITICAL

CVE-2021-4473: Tianxin Internet Behavior Management System Command Injection via toQuery.php

Vendor Beijing Topsec Network Security Technology Co., Ltd.

Product Tianxin Internet Behavior Management System

Weakness CWE-78

Published April 7, 2026

Last update May 14, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

Description

Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers can exploit this vulnerability to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process. This vulnerability has been fixed in version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-01 (UTC).

Key dates

Disclosure timeline

April 7, 2026 CVE published

May 14, 2026 Record updated

Identifiers

CVE CVE-2021-4473

CWE CWE-78

CVSS 9.3 / CRITICAL

Affected versions

Vendor Beijing Topsec Network Security Technology Co., Ltd.

Product Tianxin Internet Behavior Management System

Affected < 4.0.0.7_20210716.180815