{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2021-4473", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-01-15T20:57:10.582Z", "datePublished": "2026-04-07T12:50:58.200Z", "dateUpdated": "2026-05-14T02:06:51.986Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-14T02:06:51.986Z"}, "title": "Tianxin Internet Behavior Management System Command Injection via toQuery.php", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "affected": [{"vendor": "Beijing Topsec Network Security Technology Co., Ltd.", "product": "Tianxin Internet Behavior Management System", "versions": [{"status": "affected", "version": "0", "lessThan": "4.0.0.7_20210716.180815", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers can exploit this vulnerability to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process. This vulnerability has been fixed in version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-01 (UTC).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers can exploit this vulnerability to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process. This vulnerability has been fixed in version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-01 (UTC)."}]}], "tags": ["x_known-exploited-vulnerability"], "references": [{"url": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-41972", "tags": ["government-resource"]}, {"url": "https://www.cnvd.org.cn/patchInfo/show/280166", "tags": ["patch"]}, {"url": "https://cn-sec.com/archives/4631959.html", "tags": ["technical-description", "exploit"]}, {"url": "https://avd.aliyun.com/detail?id=AVD-2021-890232", "tags": ["third-party-advisory"]}, {"url": "https://www.vulncheck.com/advisories/tianxin-internet-behavior-management-system-command-injection-via-toquery-php", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "The Shadowserver Foundation", "type": "reporter"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:45:03.013999Z", "id": "CVE-2021-4473", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:45:21.214Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-4473", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T14:45:03.013999Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:45:17.972Z"}}], "cna": {"tags": ["x_known-exploited-vulnerability"], "title": "Tianxin Internet Behavior Management System Command Injection via toQuery.php", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "The Shadowserver Foundation"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Beijing Topsec Network Security Technology Co., Ltd.", "product": "Tianxin Internet Behavior Management System", "versions": [{"status": "affected", "version": "0", "lessThan": "4.0.0.7_20210716.180815", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-41972", "tags": ["government-resource"]}, {"url": "https://www.cnvd.org.cn/patchInfo/show/280166", "tags": ["patch"]}, {"url": "https://cn-sec.com/archives/4631959.html", "tags": ["technical-description", "exploit"]}, {"url": "https://avd.aliyun.com/detail?id=AVD-2021-890232", "tags": ["third-party-advisory"]}, {"url": "https://www.vulncheck.com/advisories/tianxin-internet-behavior-management-system-command-injection-via-toquery-php", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers can exploit this vulnerability to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process. This vulnerability has been fixed in version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-01 (UTC).", "supportingMedia": [{"type": "text/html", "value": "Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers can exploit this vulnerability to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process. This vulnerability has been fixed in version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-01 (UTC).", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-14T02:06:51.986Z"}}}, "cveMetadata": {"cveId": "CVE-2021-4473", "state": "PUBLISHED", "dateUpdated": "2026-05-14T02:06:51.986Z", "dateReserved": "2026-01-15T20:57:10.582Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-07T12:50:58.200Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:topsecgroup:tianxin_internet_behavior_management_system:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2353ABC-C31C-4FF4-A316-A3827377EA05", "versionEndExcluding": "4.0.0.7_20210716.180815", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers can exploit this vulnerability to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process. This vulnerability has been fixed in version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-01 (UTC)."}], "id": "CVE-2021-4473", "lastModified": "2026-04-24T15:12:17.307", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-07T13:16:44.540", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://avd.aliyun.com/detail?id=AVD-2021-890232"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://cn-sec.com/archives/4631959.html"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-41972"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://www.cnvd.org.cn/patchInfo/show/280166"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.vulncheck.com/advisories/tianxin-internet-behavior-management-system-command-injection-via-toquery-php"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.0.0.7_20210716.180815)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Tianxin Internet Behavior Management System", "source": "cna", "vendor": "Beijing Topsec Network Security Technology Co., Ltd."}, "product": "tianxin_internet_behavior_management_system", "vendor": "beijing_topsec_network_security"}], "analysis": {"en": {"generated_at": "2026-04-28T08:44:54.021634+00:00", "value": {"mitigation_remediation": ["Download and install the official firmware update NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin.", "Verify the integrity of the firmware using the provided checksums or digital signatures.", "Reboot the device to apply the patch and confirm the Reporter endpoint no longer accepts crafted parameters.", "Monitor logs for attempted command injection attempts.", "If unable to update immediately, restrict network access to the device and block HTTP requests to the Reporter endpoint to mitigate exposure."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects Beijing Topsec Network Security Technology Co., Ltd.'s Tianxin Internet Behavior Management System. While specific vulnerable firmware revisions are not listed, all releases prior to NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin are potentially impacted. The Reporter component, which processes the toQuery.php endpoint, is the entry point for exploitation.", "description_and_impact": "The Tianxin Internet Behavior Management System contains an OS command injection flaw in the Reporter component endpoint. By supplying a crafted objClass parameter that includes shell metacharacters and output redirection, an unauthenticated attacker can execute arbitrary system commands. This allows the attacker to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process, resulting in full control over the affected device. The weakness is a classic command injection issue, identified as CWE\u201178.", "risk_and_exploitability": "The vulnerability is assessed with a CVSS score of 9.3, indicating critical severity. The EPSS score of 5% suggests a moderate likelihood of exploitation, and the flaw is not currently listed in the CISA KEV catalog. Exploitation is straightforward for an attacker with network access to the device, as it is unauthenticated and driven by simple HTTP requests to the Reporter endpoint. Public exploitation was observed by ShadowServer on June\u00a01\u00a02024, confirming real\u2011world risk."}}}}, "created": "2026-04-08T19:38:01.554455+00:00", "updated": "2026-04-28T08:45:27.192042+00:00", "vendors": ["beijing_topsec_network_security", "beijing_topsec_network_security$PRODUCT$tianxin_internet_behavior_management_system"]}