Login Sign Up

CVE-2021-42081

9.1 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated administrators to execute arbitrary shell commands through the API in OSNexus QuantaStor storage systems. Attackers with admin credentials can achieve remote code execution, potentially compromising the entire storage system. Organizations using affected OSNexus QuantaStor versions are at risk.

💻 Affected Systems

Products:
  • OSNexus QuantaStor
Versions: Versions prior to 5.7.2
Operating Systems: Linux-based storage appliances
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin authentication but default admin credentials may be used.

📦 What is this software?

Quantastor by Osnexus

View all CVEs affecting Quantastor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing data theft, destruction, or ransomware deployment across the storage infrastructure.

🟠

Likely Case

Unauthorized data access, system configuration changes, or lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation and admin credential protection are in place.

🌐 Internet-Facing: HIGH - If the API is exposed to the internet, attackers can exploit it remotely.
🏢 Internal Only: HIGH - Even internally, compromised admin credentials lead to system takeover.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Simple command injection via API parameters with documented proof-of-concept.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.7.2 and later

Vendor Advisory: https://www.osnexus.com/products/software-defined-storage

Restart Required: Yes

Instructions:

1. Backup configuration and data. 2. Download QuantaStor 5.7.2 or later from OSNexus. 3. Apply update via web interface or CLI. 4. Restart services or system as required.

🔧 Temporary Workarounds

API Access Restriction

linux

Restrict network access to the QuantaStor API interface.

iptables -A INPUT -p tcp --dport 443 -s trusted_networks -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Admin Credential Rotation

all

Change all admin passwords and implement strong authentication.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate QuantaStor systems from critical networks.
  • Enable detailed API logging and monitor for suspicious command injection patterns.

🔍 How to Verify

Check if Vulnerable:

Check QuantaStor version via web interface or 'qs --version' command. Versions below 5.7.2 are vulnerable.

Check Version:

qs --version

Verify Fix Applied:

Confirm version is 5.7.2 or higher and test API endpoints for command injection using safe test commands.

📡 Detection & Monitoring

Log Indicators:

  • Unusual API requests with shell metacharacters (;, $, |) in parameters
  • Multiple failed admin login attempts followed by API access

Network Indicators:

  • HTTP requests to /qstorapi/storageSystemModify with suspicious parameters
  • Outbound connections from QuantaStor to unexpected destinations

SIEM Query:

source="quanta.log" AND (uri_path="/qstorapi/storageSystemModify" AND (param="newDescription" OR param="newDnsServerList" OR param="newNTPServerList") AND param_value MATCHES "[;|$`]" )

📊 Metadata

CVE ID: CVE-2021-42081
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-78
Published: July 10, 2023
Last Updated: September 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42081, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)