CVE-2021-47903

HighPublic PoC

Published: 23 January 2026

Published

23 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0030 53.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

LiteSpeed Web Server Enterprise 5.4.11 contains an authenticated command injection vulnerability in the external app configuration interface. Authenticated administrators can inject shell commands through the 'Command' parameter in the server configuration, allowing remote code execution via path traversal and bash…

command injection.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires input validation and error handling for the 'Command' parameter in the external app configuration interface to neutralize special elements used in OS commands, preventing injection.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of the specific command injection flaw (CVE-2021-47903) in LiteSpeed Web Server.

CM-5 Access Restrictions for Change partial match

prevent

Restricts and manages access to configuration changes, limiting authenticated administrators' ability to reach and exploit the vulnerable external app configuration interface.

Security SummaryAI

LiteSpeed Web Server Enterprise version 5.4.11 suffers from an authenticated command injection vulnerability in its external app configuration interface. The flaw allows attackers to inject shell commands through the 'Command' parameter within the server configuration, facilitating remote code execution via path traversal and bash command injection. This issue is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Authenticated administrators with access to the configuration interface can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Exploitation enables the execution of arbitrary shell commands on the affected server, granting high-impact control over confidentiality, integrity, and availability, potentially leading to full system compromise.

Advisories and resources include a proof-of-concept exploit published on Exploit-DB (ID 49523) and a detailed advisory from Vulncheck on the LiteSpeed Web Server Enterprise command injection vulnerability. References to LiteSpeed Technologies' official website and products page are available, though specific patch or mitigation guidance is not detailed in the provided information.

Details

CWE(s): CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE-2021-47903 is a command injection vulnerability in a public-facing web server configuration interface (T1190: Exploit Public-Facing Application), enabling remote code execution via bash shell commands (T1059.004: Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/49523
disclosure@vulncheck.com
https://www.litespeedtech.com/
disclosure@vulncheck.com
https://www.litespeedtech.com/products
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/litespeed-web-server-enterprise-command-injection
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/49523
134c704f-9b21-4f2e-91b3-4a467353bcc0