CVE-2021-47938 Overview
CVE-2021-47938 is an authenticated remote code execution vulnerability in ImpressCMS 1.4.2. The flaw resides in the autotasks administrative interface, which fails to sanitize the sat_code parameter before writing it to an executable PHP file. An authenticated attacker with administrative access can submit a POST request to /modules/system/admin.php?fct=autotasks&op=mod containing malicious PHP code. The server stores the injected payload in a PHP file that subsequently accepts arbitrary commands through GET parameters. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code) and enables full compromise of the host running ImpressCMS.
Critical Impact
Authenticated attackers can execute arbitrary PHP and shell commands on the web server, leading to complete confidentiality, integrity, and availability loss.
Affected Products
- ImpressCMS 1.4.2
- ImpressCMS system module (autotasks administrative interface)
- Deployments exposing /modules/system/admin.php to authenticated administrators
Discovery Timeline
- 2026-05-10 - CVE-2021-47938 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2021-47938
Vulnerability Analysis
The vulnerability is a code injection flaw in the ImpressCMS autotasks management endpoint. The sat_code POST parameter accepts the PHP body of a scheduled task and is written verbatim into a PHP file under the application's autotasks directory. Because the application does not validate, escape, or sandbox the supplied code, any string submitted in sat_code becomes server-side executable PHP. The resulting file is then reachable over HTTP and parses incoming GET parameters as command input, effectively turning the autotasks feature into a persistent web shell. The exploit chain requires valid administrator credentials, which limits unauthenticated exposure but does not mitigate insider misuse or compromise of admin sessions.
Root Cause
The root cause is the absence of input validation and code-generation controls in the autotasks editor. ImpressCMS treats sat_code as trusted PHP source and persists it directly to disk inside the webroot. No allow-listing of functions, no syntactic validation, and no separation between code storage and code execution surfaces exist. This design pattern violates CWE-94 by allowing attacker-controlled data to be interpreted as code at runtime.
Attack Vector
The attack proceeds over the network against the ImpressCMS web interface. An attacker first authenticates as an administrator. The attacker then submits a POST request to /modules/system/admin.php?fct=autotasks&op=mod with a crafted sat_code value containing PHP such as a function that executes the contents of a GET parameter. ImpressCMS writes this payload into an autotask PHP file inside the webroot. The attacker then issues GET requests to that file, passing arbitrary shell commands as query parameters, which the injected PHP executes under the web server account. Technical proof-of-concept details are available in the Exploit-DB #50298 entry and the VulnCheck Remote Code Execution Advisory.
Detection Methods for CVE-2021-47938
Indicators of Compromise
- POST requests to /modules/system/admin.php?fct=autotasks&op=mod containing PHP tokens such as <?php, system(, passthru(, or eval( in the sat_code body.
- New or modified PHP files inside the ImpressCMS autotasks storage path, especially files with recent timestamps not matching deployment activity.
- Subsequent GET requests to autotask PHP files carrying shell-like query parameters (for example, id, cmd, or base64-encoded values).
- Web server processes spawning sh, bash, cmd.exe, powershell.exe, or reconnaissance tools such as whoami, id, or uname.
Detection Strategies
- Inspect web access and application logs for fct=autotasks&op=mod requests and correlate them with the authenticated administrator account performing them.
- Monitor the ImpressCMS installation directory for unexpected creation or modification of PHP files using file integrity monitoring.
- Alert on PHP interpreter or web server child processes invoking operating system shells, which is unusual for a CMS workload.
Monitoring Recommendations
- Enable verbose logging on the ImpressCMS admin panel and forward logs to a SIEM for retention and correlation.
- Baseline normal administrator activity and flag deviations such as autotask edits from new IP addresses or outside business hours.
- Review outbound network connections from the web server for callbacks to attacker-controlled infrastructure following autotask modifications.
How to Mitigate CVE-2021-47938
Immediate Actions Required
- Restrict access to /modules/system/admin.php to trusted administrative networks using web server or reverse proxy access controls.
- Rotate administrator credentials and enforce strong, unique passwords with multi-factor authentication on any upstream identity provider.
- Audit the autotasks directory for unauthorized PHP files and remove any task code that was not installed by a legitimate administrator.
- Review web and application logs for prior exploitation attempts referencing sat_code or fct=autotasks.
Patch Information
No vendor patch is referenced in the available advisories for ImpressCMS 1.4.2. Operators should upgrade to the latest available release from the ImpressCMS official site and the ImpressCMS download modules page, and verify that the autotasks module no longer accepts arbitrary PHP in the sat_code parameter before returning the application to production use.
Workarounds
- Disable or remove the ImpressCMS system autotasks module if it is not required for operations.
- Place the application behind a web application firewall with rules that block PHP tags and dangerous function names in request bodies sent to admin endpoints.
- Configure the web server to deny direct HTTP execution of files inside the autotasks storage directory.
- Run the PHP process under a least-privilege account and apply filesystem permissions that prevent the webroot from being writable by the runtime user where feasible.
# Example nginx configuration to deny execution of autotask PHP files
location ~ ^/modules/system/autotasks/.*\.php$ {
deny all;
return 403;
}
# Restrict access to the vulnerable admin endpoint to a management subnet
location = /modules/system/admin.php {
allow 10.0.0.0/24;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
