Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-40222 PoC — Rittal CMC PU III 操作系统命令注入漏洞

Source
https://github.com/asang17/CVE-2021-40222
Associated Vulnerability
Title:Rittal CMC PU III 操作系统命令注入漏洞 (CVE-2021-40222)
Description:Rittal CMC PU III Web management Version affected: V3.11.00_2. Version fixed: V3.17.10 is affected by a remote code execution vulnerablity. It is possible to introduce shell code to create a reverse shell in the PU-Hostname field of the TCP/IP Configuration dialog. Web application fails to sanitize user input on Network TCP/IP configuration page. This allows the attacker to inject commands as root on the device which will be executed once the data is received.
Description
Remote Code Execution at Rittal
Readme
# CVE-2021-40222
**Application**: Rittal CMC PU III Web management

**Devices**: CMC PU III 7030.000

**Software Revision**: V3.11.00_2

**Hardware Revision**: V3.00

**Attack type**: Remote Code Execution

**Solution**: Update to Software Revision V3.17.10 or later

**Summary**: Web application fails to sanitize user input on Network TCP/IP configuration page. This allows the attacker to inject commands as root on the device which will be executed once the data is received after a few seconds. An attacker can create a backdoor in the device or just execute a reverse shell which connects to the attacker machine. Successful exploitation requires admin access to the management of the device with a valid or hijacked session.

**Timeline**:
* 2021-08-03 Issues discovered
* 2021-08-08 First contact with vendor via e-mail
* 2021-08-23 Second contact with vendor via e-mail
* 2021-09-01 Vulnerability patch confirmed
File Snapshot

 [4.0K]  /data/pocs/60a7c64bffb6d2cd9add08c2a52e37cd5409f452
├── [382K]  RCE IN RITTAL CMC III.pdf
├── [1.9M]  RCE.mp4
└── [ 922]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →