Vulnerabilities ›

CVE-2021-47939

High

CWE-94 — Weakness Type

                    Published: May 10, 2026                      ·  Modified: May 17, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated users with module creation permissions to execute arbitrary system commands by injecting PHP code into module parameters. Attackers can send POST requests to /manager/index.php with malicious PHP code in the 'post' parameter to create modules that execute arbitrary commands when invoked.

🤖 AI Executive Summary

Evolution CMS 3.1.6 contains a critical remote code execution vulnerability (CVE-2021-47939) allowing authenticated users with module creation permissions to execute arbitrary PHP code through POST requests. The vulnerability exploits insufficient input validation in module parameter handling, enabling attackers to inject malicious code that executes system commands. With a CVSS score of 8.8 and no available patch, this poses significant risk to organizations using Evolution CMS for content management and web applications.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 13, 2026 13:49

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using Evolution CMS for government portals, corporate websites, and e-commerce platforms face significant risk. Most vulnerable sectors include: Government agencies (NCA, MCIT) managing public-facing portals; Banking and financial institutions using CMS for customer-facing applications; Healthcare providers (MOH) managing patient information portals; Telecommunications companies (STC, Mobily) operating customer service platforms; and Energy sector (ARAMCO) managing corporate communications. The vulnerability's requirement for authenticated access with module creation permissions limits exposure but poses critical risk if administrative credentials are compromised or if internal threats exist.

🏢 Affected Saudi Sectors

Government Banking and Financial Services Healthcare Energy and Utilities Telecommunications E-commerce Education Media and Publishing

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1059.007 - Command and Scripting Interpreter: JavaScript/JScript T1203 - Exploitation for Client Execution T1505 - Server Software Component T1505.003 - Server Software Component: Web Shell T1098 - Account Manipulation T1133 - External Remote Services

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Audit all Evolution CMS 3.1.6 installations and identify users with module creation permissions

2. Review access logs for /manager/index.php POST requests with suspicious 'post' parameters containing PHP code patterns

3. Disable module creation functionality for non-essential administrative accounts immediately

4. Implement strict input validation and output encoding for all module parameters

Compensating Controls:

1. Deploy Web Application Firewall (WAF) rules to block POST requests to /manager/index.php containing PHP code patterns (<?php, eval, system, exec, passthru, shell_exec)

2. Implement strict Content Security Policy (CSP) headers to prevent inline script execution

3. Enable PHP disable_functions directive to restrict dangerous functions: eval, system, exec, passthru, shell_exec, proc_open, popen

4. Restrict /manager/ directory access via IP whitelisting to trusted administrative networks only

5. Implement comprehensive logging and monitoring of all module creation activities

Detection Rules:

1. Monitor POST requests to /manager/index.php with 'post' parameter containing: PHP tags, eval(), system(), exec(), base64_decode patterns

2. Alert on any module creation by non-standard administrative accounts

3. Monitor for suspicious process execution originating from PHP processes

4. Track file modifications in module directories for unauthorized changes

Upgrade Path:

1. Contact Evolution CMS vendor for security updates or migrate to alternative CMS solutions

2. If upgrade unavailable, consider complete CMS replacement with actively maintained alternatives

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تدقيق جميع تثبيتات Evolution CMS 3.1.6 وتحديد المستخدمين الذين لديهم صلاحيات إنشاء الوحدات

2. مراجعة سجلات الوصول لطلبات POST إلى /manager/index.php التي تحتوي على معاملات 'post' مريبة تتضمن أنماط أكواد PHP

3. تعطيل وظيفة إنشاء الوحدات للحسابات الإدارية غير الأساسية فوراً

4. تطبيق التحقق الصارم من صحة المدخلات وترميز المخرجات لجميع معاملات الوحدة

الضوابط البديلة:

1. نشر قواعد جدار حماية تطبيقات الويب (WAF) لحجب طلبات POST إلى /manager/index.php التي تحتوي على أنماط أكواد PHP (<?php, eval, system, exec, passthru, shell_exec)

2. تطبيق رؤوس سياسة أمان المحتوى (CSP) الصارمة لمنع تنفيذ البرامج النصية المضمنة

3. تفعيل توجيه PHP disable_functions لتقييد الوظائف الخطرة: eval, system, exec, passthru, shell_exec, proc_open, popen

4. تقييد الوصول إلى دليل /manager/ عبر قائمة بيضاء للعناوين الموثوقة فقط

5. تطبيق السجلات الشاملة والمراقبة لجميع أنشطة إنشاء الوحدات

قواعد الكشف:

1. مراقبة طلبات POST إلى /manager/index.php مع معامل 'post' يحتوي على: علامات PHP, eval(), system(), exec(), أنماط base64_decode

2. التنبيه على أي إنشاء وحدة بواسطة حسابات إدارية غير قياسية

3. مراقبة تنفيذ العمليات المريبة الناشئة من عمليات PHP

4. تتبع تعديلات الملفات في أدلة الوحدات للتغييرات غير المصرح بها

مسار الترقية:

1. التواصل مع بائع Evolution CMS للحصول على تحديثات أمنية أو الهجرة إلى حلول CMS بديلة

2. إذا لم يكن الترقية متاحة، فكر في استبدال CMS كامل بدائل يتم صيانتها بنشاط

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information Security Policies and Procedures A.6.1.1 - Internal Organization A.6.2.1 - Mobile Device Management A.7.1.1 - Access Control A.8.1.1 - Cryptography A.8.2.1 - Secure Development A.8.3.1 - Secure Operations A.9.1.1 - Event Logging and Monitoring

🔵 SAMA CSF

Governance - Risk Management Framework Governance - Third-party Risk Management Protect - Access Control and Authentication Protect - Data Protection and Privacy Detect - Security Monitoring and Logging Respond - Incident Response and Management

🟡 ISO 27001:2022

5.1 - Policies for information security 5.15 - Access control 5.23 - Information security for supplier relationships 6.5 - Control of changes 7.3 - Determination of information security requirements 8.1 - Operational planning and control 8.2 - Supply chain relationships 8.3 - Information and communication 8.32 - Change management 8.33 - Testing, maintaining and re-assessing information security

🟣 PCI DSS v4.0.1

Requirement 1 - Install and maintain a firewall configuration Requirement 2 - Do not use vendor-supplied defaults Requirement 6 - Develop and maintain secure systems and applications Requirement 7 - Restrict access to data by business need to know Requirement 10 - Track and monitor all access to network resources

🔗 References & Sources 4

🔗

https://evo.im/

disclosure@vulncheck.com

🔗

https://github.com/evolution-cms/evolution/releases

disclosure@vulncheck.com

🔗

https://www.exploit-db.com/exploits/50296

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/evolution-cms-authenticated-remote-code-execution-...

disclosure@vulncheck.com

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-94

EPSS0.33%

Exploit No

Patch ✗ No

Published 2026-05-10

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-94

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2021-47939

Introduce Yourself

Sign In Required