CVE-2021-47747

CVE-2021-47747 is an authenticated remote code execution vulnerability affecting meterN version 1.2.3, a software component likely related to monitoring or metering functions based on its archived project site. The flaw resides in the admin_meter2.php and admin_indicator2.php scripts, where the 'COMMANDx' and 'LIVECOMMANDx' POST parameters fail to properly sanitize input, enabling OS command injection as described by CWE-78. This issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.

An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity and no user interaction required. By sending crafted POST requests to the vulnerable scripts with malicious commands in the specified parameters, the attacker achieves remote code execution with administrative privileges on the host system, potentially leading to full control including data exfiltration, persistence, or lateral movement.

Advisories from Vulncheck, ZeroScience (ZSL-2021-5690), and Exploit-DB detail the vulnerability, with the latter providing a public proof-of-concept exploit (EDB-ID 50596). The original meterN project page is archived, and no specific patches or mitigations are outlined in the core CVE details, though practitioners should review these references for remediation guidance such as input validation or script removal.

The availability of a public exploit on Exploit-DB highlights the risk of real-world exploitation against unpatched meterN 1.2.3 deployments.