CVE-2021-46704
Description
Unauthenticated OS command injection in GenieACS UI ping API allows remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated OS command injection in GenieACS UI ping API allows remote code execution.
Vulnerability
In GenieACS 1.2.x before 1.2.8, the UI interface API (lib/ui/api.ts and lib/ping.ts) is vulnerable to unauthenticated OS command injection. The ping host argument is passed directly to the system's ping command without proper validation or authorization checks. [1] [3]
Exploitation
An unauthenticated attacker can send a crafted HTTP request to the UI API's ping endpoint with a malicious host argument containing shell metacharacters. Because the host is passed to exec() without sanitization, arbitrary commands are executed on the server. [1] [3]
Impact
Successful exploitation allows remote code execution as the user running genieacs-ui (typically root or a low-privilege user). This can lead to full compromise of the ACS server and potentially the managed devices. [1]
Mitigation
The vulnerability is fixed in GenieACS version 1.2.8. The fix adds input validation via a isValidHost function that restricts allowed characters. [3] [4] Users should upgrade to 1.2.8 or later. No workarounds are documented.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
genieacsnpm | < 1.2.8 | 1.2.8 |
Affected products
2Patches
17f295beeecc1Validate host arg passed to ping
1 file changed · +13 −0
lib/ping.ts+13 −0 modified@@ -19,6 +19,7 @@ import { platform } from "os"; import { exec } from "child_process"; +import { domainToASCII } from "url"; export interface PingResult { packetsTransmitted: number; @@ -30,11 +31,23 @@ export interface PingResult { mdev: number; } +function isValidHost(host: string): boolean { + // Valid chars in IPv4, IPv6, domain names + if (/^[a-zA-Z0-9\-.:[\]-]+$/.test(host)) return true; + + // Check if input is an IDN convert to Punycode + // Can't merge with above because domainToASCII doesn't accept IP addresses + return /^[a-zA-Z0-9\-.:[\]-]+$/.test(domainToASCII(host)); +} + export function ping( host: string, callback: (err: Error, res?: PingResult, stdout?: string) => void ): void { let cmd: string, parseRegExp1: RegExp, parseRegExp2: RegExp; + // Validate input to prevent possible remote code execution + // Credit to Alex Hordijk for reporting this vulnerability + if (!isValidHost(host)) return callback(new Error("Invalid host")); host = host.replace("[", "").replace("]", ""); switch (platform()) { case "linux":
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-2877-693q-pj33ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-46704ghsaADVISORY
- github.com/genieacs/genieacs/commit/7f295beeecc1c1f14308a93c82413bb334045af6ghsax_refsource_MISCWEB
- github.com/genieacs/genieacs/releases/tag/v1.2.8ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.