Exploited in the Wild: Critical 9.3 CVSS Flaw Turns Tianxin Systems into Hacker Gateways

A critical security vulnerability, tracked as CVE-2021-4473, has been identified in the Tianxin Internet Behavior Management System. With a severe CVSS score of 9.3, this flaw allows unauthenticated attackers to execute arbitrary commands at the system level, potentially leading to a total compromise of the affected network infrastructure.

The Shadowserver Foundation first reported evidence of active exploitation in the wild on June 1, 2024 (UTC).

The flaw resides in the Reporter component endpoint of the management system. This component, designed to handle data reporting and visualization, fails to properly sanitize user-supplied input.

Attackers can exploit this by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Because this endpoint does not require authentication, an external actor can remotely trigger a command injection.

Specifically, hackers are utilizing this vulnerability to:

• Write Malicious Files: Attackers use output redirection to drop malicious PHP files directly into the web root.
• Achieve Remote Code Execution (RCE): Once the PHP file is staged, it can be accessed via a browser to execute commands with the full privileges of the web server process.

The Tianxin Internet Behavior Management System is often positioned at the edge of corporate and institutional networks to monitor and control user activity. A breach of this system is particularly dangerous as it provides attackers with a high-privilege foothold inside the network perimeter.

Once RCE is achieved, threat actors can move laterally to other sensitive systems, intercept internal traffic, or deploy ransomware. The ease of exploitation—requiring only a single crafted request—makes it an ideal target for automated “spray and pray” campaigns.

A fix has been available for some time, and organizations are urged to upgrade the system firmware to version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin or later.