VYPR
← All advisories
High severity8.8NVD Advisory· Published Dec 31, 2025· Updated Apr 15, 2026

CVE-2021-47745

CVE-2021-47745

Description

Cypress Solutions CTM-200 2.7.1 allows authenticated remote attackers to inject and execute OS commands as root via the 'fw_url' parameter in the firmware upgrade script.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cypress Solutions CTM-200 2.7.1 allows authenticated remote attackers to inject and execute OS commands as root via the 'fw_url' parameter in the firmware upgrade script.

Vulnerability

Analysis

An authenticated command injection vulnerability (CWE-78) exists in the Cypress Solutions CTM-200 industrial cellular wireless gateway, version 2.7.1 (and also 2.0.5.3356-184). The flaw resides in the firmware upgrade functionality, specifically within the /www/cgi-bin/webif/ctm-config-upgrade.sh script. When a user triggers a firmware upgrade via the web form, the script passes the user-supplied fw_url POST parameter directly to the cmd upgradefw command (line 139). The underlying ELF binary cmdmain constructs a command string using sprintf() and then passes it to ctmsys(), which executes it via execv(). The fw_url value is not sanitized, allowing an attacker to inject arbitrary shell metacharacters into the wget command that is executed [1][2][4].

Exploitation

The vulnerability requires prior authentication to the CTM-200's web interface, as an admin-level user. An attacker with valid credentials can craft a POST request to the firmware upgrade CGI endpoint. The fw_url parameter, intended to hold a URL for downloading a firmware image, can instead contain command injection payloads, such as appending ; or | followed by shell commands. Because the injected commands are executed in the context of the ctmsysitem() function call—which itself runs with root privileges—the attacker gains full control over the gateway. The exploit is classified as 'semi-blind' because while the output may not be directly returned in the HTTP response, commands are executed and their effects can be observed or they can exfiltrate data through outbound connections [2].

Impact

Successful exploitation grants the attacker remote, interactive shell access with root privileges on the CTM-200 device. This enables complete compromise of the gateway, including the ability to modify configuration, intercept or redirect network traffic, access connected SCADA systems, and use the device as a persistent pivot point into the broader industrial network. Given that the CTM-200 is used in mobile fleet applications and fixed-site industrial communications, this represents a high-severity threat to operational technology environments [1][2][3].

Mitigation

The vulnerability was publicly disclosed on September 21, 2021, and an exploit is publicly available on Exploit-DB. Users should immediately check with Cypress Solutions for a patched firmware version (none was indicated as available at the time of disclosure). As a workaround, restrict administrative access to the CTM-200 web interface by network segmentation and use strong, unique passwords. Because the device may be deployed in critical infrastructure, the vulnerability should be prioritized for remediation and monitored for inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog [2][4].

References
  1. Zero Science Lab — Macedonian Information Security Research & Development Laboratory
  2. OffSec’s Exploit Database Archive
  3. Fleet Telematics Solutions - Real-Time GPS Tracking | Cypress Solutions
  4. Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection via Firmware Upgrade

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization of the `fw_url` POST parameter in the firmware upgrade script allows shell command injection via backtick metacharacters."

Attack vector

An authenticated attacker sends a POST request to `/cgi-bin/webif/ctm-config-upgrade.sh` with a `fw_url` parameter containing shell metacharacters (e.g., backticks) [ref_id=1]. The script passes this value to `cmd upgradefw`, which ultimately constructs a `wget` command via `sprintf` and executes it through `ctmsys()` [ref_id=1]. Because the input is not sanitized, the injected shell commands run with root privileges, as demonstrated by the PoC using `` `id` `` as the `fw_url` value, which outputs `gid=0(root)/uid=0(root)` in the response [ref_id=1]. The attack requires only network access to the device and valid authentication credentials [CWE-78].

Affected code

The vulnerability resides in `/www/cgi-bin/webif/ctm-config-upgrade.sh` at line 139, where the `cmd upgradefw "$FORM_fw_url"` command passes the unsanitized `fw_url` POST parameter directly to the `cmdmain` ELF binary. Inside `cmdmain`, the `make_wget_url()` function and subsequent `sprintf`/`ctmsys()` calls construct a `wget` command string using the attacker-controlled URL, which is then executed via `ctmsys()` — a wrapper around `execv()` — without any input sanitization [ref_id=1].

What the fix does

No patch is provided in the bundle. The advisory does not specify a fix, but the remediation would require sanitizing or validating the `fw_url` input parameter in `ctm-config-upgrade.sh` before passing it to `cmd upgradefw`, and ensuring the `cmdmain` ELF binary properly escapes shell metacharacters when constructing the `wget` command string passed to `ctmsys()` [ref_id=1].

Preconditions

  • authAttacker must have valid authentication credentials (HTTP Basic Auth) to access the web interface
  • networkAttacker must have network access to the CTM-200 device on port 80/443
  • inputThe fw_url POST parameter must be controllable by the attacker

Reproduction

Send the following POST request to the target device (replace `192.168.1.100` with the target IP and adjust the Authorization header credentials as needed) [ref_id=1]:

``` POST /cgi-bin/webif/ctm-config-upgrade.sh HTTP/1.1 Host: 192.168.1.100 Authorization: Basic YWRtaW46Q2hhbWVsZW9u Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZlABvwQnpLtpe9mM

------WebKitFormBoundaryZlABvwQnpLtpe9mM Content-Disposition: form-data; name="submit"

1 ------WebKitFormBoundaryZlABvwQnpLtpe9mM Content-Disposition: form-data; name="fw_url"

`id` ------WebKitFormBoundaryZlABvwQnpLtpe9mM Content-Disposition: form-data; name="install_fw_url"

Start Firmware Upgrade from URL ------WebKitFormBoundaryZlABvwQnpLtpe9mM-- ```

The response will include the output of the injected command (e.g., `gid=0(root)/uid=0(root)`) within the firmware upgrade status messages [ref_id=1].

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.