Vulnerabilities ›

CVE-2021-47938

High

CWE-94 — Weakness Type

                    Published: May 10, 2026                      ·  Modified: May 17, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

ImpressCMS 1.4.2 contains a remote code execution vulnerability in the autotasks administrative interface that allows authenticated attackers to execute arbitrary PHP code by injecting malicious code into the sat_code parameter. Attackers can authenticate, submit a POST request to /modules/system/admin.php?fct=autotasks&op=mod with crafted sat_code containing PHP commands, which creates an executable file that accepts arbitrary commands via GET parameters.

🤖 AI Executive Summary

ImpressCMS 1.4.2 contains a critical remote code execution vulnerability in the autotasks administrative interface that allows authenticated attackers to execute arbitrary PHP code through the sat_code parameter. This vulnerability enables attackers with administrative access to create executable files and gain complete system control. The lack of available patches makes immediate mitigation through alternative controls essential for affected organizations.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 13, 2026 13:48

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses significant risk to Saudi government portals, educational institutions, and small-to-medium enterprises using ImpressCMS for content management. Government agencies under NCA oversight and educational institutions under MOEDU are particularly vulnerable. The vulnerability requires authenticated access, limiting exposure but creating insider threat risks. Organizations in the telecom sector (STC, Mobily) and healthcare institutions using ImpressCMS for patient portals face potential data breach and service disruption risks. The lack of patch availability increases the attack window for determined threat actors.

🏢 Affected Saudi Sectors

Government Education Healthcare Telecommunications Small and Medium Enterprises Non-Profit Organizations

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1059.007 - PowerShell T1106 - Native API T1053 - Scheduled Task/Job T1078 - Valid Accounts T1505 - Server Software Component T1505.003 - Web Shell

⚖️ Saudi Risk Score (AI)

7.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all ImpressCMS 1.4.2 instances in your environment and document their locations

2. Restrict administrative access to /modules/system/admin.php to authorized personnel only

3. Implement network-level access controls limiting admin interface access to specific IP ranges

4. Enable comprehensive logging for all administrative activities in the autotasks module

5. Review admin user accounts and disable unused administrative credentials

COMPENSATING CONTROLS:

1. Implement Web Application Firewall (WAF) rules to block POST requests to /modules/system/admin.php?fct=autotasks&op=mod containing PHP code patterns

2. Deploy file integrity monitoring on the web root directory to detect unauthorized PHP file creation

3. Disable PHP execution in upload directories and temporary directories

4. Implement strict input validation and sanitization for the sat_code parameter

5. Use PHP disable_functions directive to restrict dangerous functions (exec, system, passthru, shell_exec, eval)

PATCHING STRATEGY:

1. Evaluate migration to maintained CMS alternatives (Drupal, WordPress with security hardening)

2. If migration not feasible, apply vendor security patches immediately upon release

3. Implement code review process for any custom modifications to ImpressCMS

DETECTION:

1. Monitor for POST requests to /modules/system/admin.php with fct=autotasks&op=mod parameters

2. Alert on creation of new PHP files in web-accessible directories

3. Monitor for execution of system commands from PHP processes

4. Track failed and successful authentication attempts to admin interfaces

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع نسخ ImpressCMS 1.4.2 في بيئتك وقم بتوثيق مواقعها

2. قيد الوصول الإداري إلى /modules/system/admin.php للموظفين المصرح لهم فقط

3. طبق ضوابط الوصول على مستوى الشبكة لتحديد وصول واجهة الإدارة إلى نطاقات IP محددة

4. فعّل السجلات الشاملة لجميع الأنشطة الإدارية في وحدة autotasks

5. راجع حسابات المستخدمين الإداريين وعطّل بيانات اعتماد الإدارة غير المستخدمة

الضوابط البديلة:

1. طبق قواعد جدار حماية تطبيقات الويب (WAF) لحجب طلبات POST التي تحتوي على أنماط أكواد PHP

2. نشّر مراقبة سلامة الملفات على دليل جذر الويب للكشف عن إنشاء ملفات PHP غير المصرح بها

3. عطّل تنفيذ PHP في مجلدات التحميل والمجلدات المؤقتة

4. طبق التحقق من صحة الإدخال والتطهير الصارم لمعامل sat_code

5. استخدم توجيه PHP disable_functions لتقييد الوظائف الخطرة

استراتيجية التصحيح:

1. قيّم الهجرة إلى بدائل CMS المدعومة (Drupal, WordPress)

2. إذا لم تكن الهجرة ممكنة، طبق تصحيحات أمان البائع فورًا عند إصدارها

3. طبق عملية مراجعة الأكواد لأي تعديلات مخصصة على ImpressCMS

الكشف:

1. راقب طلبات POST إلى /modules/system/admin.php مع معاملات fct=autotasks&op=mod

2. أصدر تنبيهات عند إنشاء ملفات PHP جديدة في المجلدات التي يمكن الوصول إليها عبر الويب

3. راقب تنفيذ أوامر النظام من عمليات PHP

4. تتبع محاولات المصادقة الفاشلة والناجحة لواجهات الإدارة

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information security policies and procedures A.6.1.1 - User access management and authentication A.6.2.1 - User access rights review A.7.1.1 - Physical and environmental security A.8.1.1 - Cryptography and secure communications A.9.1.1 - Incident management and response A.10.1.1 - System development and maintenance security A.12.1.1 - Monitoring and logging

🔵 SAMA CSF

Governance - Security Policy and Risk Management Identify - Asset Management and Access Control Protect - Access Control and Authentication Detect - Monitoring and Logging Respond - Incident Response and Management Recover - Business Continuity and Disaster Recovery

🟡 ISO 27001:2022

A.5.1 - Management direction for information security A.6.1 - Internal organization A.6.2 - Mobile device and teleworking A.7.1 - Prior to public availability A.8.1 - User endpoint devices A.8.2 - Privileged access rights A.8.3 - Information access restriction A.12.1 - Audit logging A.12.4 - Recording of activities A.14.1 - Information security requirements A.14.2 - Security in development and support processes

🟣 PCI DSS v4.0.1

Requirement 1 - Firewall configuration Requirement 2 - Default passwords and security parameters Requirement 6 - Secure development and vulnerability management Requirement 7 - Restrict access to data by business need Requirement 8 - User identification and authentication Requirement 10 - Tracking and monitoring access to network resources

🔗 References & Sources 4

🔗

https://www.exploit-db.com/exploits/50298

disclosure@vulncheck.com

🔗

https://www.impresscms.org/

disclosure@vulncheck.com

🔗

https://www.impresscms.org/modules/downloads/

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/impresscms-remote-code-execution-via-autotasks

disclosure@vulncheck.com

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-94

EPSS0.24%

Exploit No

Patch ✗ No

Published 2026-05-10

Source Feed nvd

🇸🇦 Saudi Risk Score

7.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-94

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2021-47938

Introduce Yourself

Sign In Required