CVE-2021-47770

HighPublic PoC

Published: 21 January 2026

Published

21 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0033 55.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OpenPLC v3 contains an authenticated remote code execution vulnerability that allows attackers with valid credentials to inject malicious code through the hardware configuration interface. Attackers can upload a custom hardware layer with embedded reverse shell code that establishes a network…

connection to a specified IP and port, enabling remote command execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Prevents code injection vulnerability by validating and sanitizing uploaded custom hardware layer files in the configuration interface.

CM-5 Access Restrictions for Change good match

prevent

Restricts access to hardware configuration changes, preventing low-privilege authenticated users from uploading malicious layers.

SI-3 Malicious Code Protection good match

preventdetect

Scans and blocks malicious code such as embedded reverse shells in uploaded hardware layers before execution.

Security SummaryAI

CVE-2021-47770 is an authenticated remote code execution vulnerability in OpenPLC v3, published on 2026-01-21. The flaw resides in the hardware configuration interface, where attackers with valid credentials can upload a custom hardware layer embedded with malicious reverse shell code. This code establishes a network connection to an attacker-specified IP and port, enabling arbitrary remote command execution. The vulnerability is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-94 (code injection).

Exploitation requires low-privilege authenticated access over the network, with low attack complexity and no user interaction needed. An attacker can achieve full remote code execution on the targeted OpenPLC v3 instance, potentially compromising the programmable logic controller (PLC) environment, exfiltrating data, modifying control logic, or disrupting operations.

Mitigation details are available in vendor and security advisories, including the OpenPLC project site (https://www.openplcproject.com/), GitHub repository (https://github.com/thiagoralves/OpenPLC_v3), VulnCheck advisory (https://www.vulncheck.com/advisories/openplc-remote-code-execution), and a public proof-of-concept exploit (https://www.exploit-db.com/exploits/49803). Practitioners should review these for patching instructions or configuration hardening to prevent unauthorized hardware layer uploads.

A public exploit is available on Exploit-DB, indicating potential for real-world abuse in industrial control system environments running OpenPLC v3.

Details

CWE(s): CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CVE-2021-47770 enables exploitation of a public-facing application (OpenPLC hardware configuration interface) for initial access (T1190) and facilitates privilege escalation from low-privilege authenticated access to full remote code execution (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/thiagoralves/OpenPLC_v3
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/49803
disclosure@vulncheck.com
https://www.openplcproject.com/
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openplc-remote-code-execution
disclosure@vulncheck.com