CVE-2021-21804
Description
A local file inclusion (LFI) vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary PHP code execution. An attacker can send a crafted HTTP request to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A local file inclusion vulnerability in Advantech R-SeeNet 2.4.12 allows unauthenticated remote attackers to execute arbitrary PHP code via a crafted HTTP request.
Vulnerability
A local file inclusion (LFI) vulnerability exists in the options.php script of Advantech R-SeeNet version 2.4.12 (20.10.2020). The script accepts the sub_opt parameter from an HTTP GET request and passes it directly into a PHP include() statement without any sanitization (line 218: include($sub_opt.".php");). This allows an attacker to control the included file, leading to arbitrary PHP code execution. The vulnerability is reachable without authentication, as the options.php script is accessible via the web interface.
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the options.php script with a malicious sub_opt parameter. No authentication or prior access is required. The attacker can use path traversal sequences (e.g., ../../) or PHP wrappers (e.g., php://input) to include arbitrary files from the server or execute arbitrary PHP code. The CVSSv3 score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates high attack complexity, but successful exploitation does not require user interaction.
Impact
Successful exploitation allows an attacker to execute arbitrary PHP code on the target server. This can lead to full compromise of the affected system, including disclosure of sensitive data, modification of files, and denial of service. The attacker gains the ability to execute commands with the privileges of the web server user, potentially leading to complete control over the R-SeeNet application and underlying operating system.
Mitigation
As of the publication date (2021-07-16), no patch or workaround has been disclosed in the available references [1]. Users are advised to restrict network access to the R-SeeNet web interface, monitor vendor updates from Advantech, and consider applying the principle of least privilege to the web server process. If possible, disable or remove the options.php script until a fix is available.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Advantech/R-SeeNetdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the `sub_opt` parameter in `options.php` allows an attacker to control the argument to PHP's `include` function, enabling file inclusion via PHP stream wrappers."
Attack vector
An attacker must be authenticated (even as a guest user, since `"options"` is in the guest whitelist [ref_id=1]). The attacker sends a crafted HTTP GET request to `/index.php?page=options&sub_opt=...` where the `sub_opt` parameter contains a PHP stream wrapper such as `php://filter/convert.base64-encode/resource=/config.inc`. The `include` call on line 218 of `options.php` processes this user-controlled value, allowing the attacker to read arbitrary files (e.g., `config.inc.php` containing database credentials) or, by using other PHP stream wrappers, achieve arbitrary PHP code execution [CWE-98].
Affected code
The vulnerability resides in `php/options.php` at line 218, where the `$sub_opt` parameter (received from `$_GET['sub_opt']` at line 27) is passed directly into an `include` statement without sanitization: `include($sub_opt.".php");`. The `index.php` script (lines 60-71) includes `"options"` in its whitelist, allowing even guest users to reach the vulnerable script.
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] indicates that the vendor was contacted multiple times between March and June 2021 but did not respond, and the vulnerability was publicly disclosed on 2021-07-15. The remediation would require sanitizing or validating the `sub_opt` parameter against a whitelist of allowed PHP files before passing it to the `include` function, rather than using unsanitized user input directly.
Preconditions
- authAttacker must be authenticated to the R-SeeNet web application (guest-level access is sufficient)
- networkAttacker must be able to send HTTP GET requests to the server
- inputThe `sub_opt` parameter is taken directly from user input without sanitization
Reproduction
Send a GET request to `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2021-1273mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.