CVE-2021-47701 – CVE-2021-47701 is a privilege escalation vulner... (How to Fix)

Q: What is the severity of CVE-2021-47701?

CVE-2021-47701 has a CVSS score of 8.8 (HIGH). CVE-2021-47701 is a privilege escalation vulnerability in OpenBMCS 2.4 that allows authenticated users with read-only permissions to elevate their privileges to administrative level. Attackers exploit a flaw in the update_user_permissions.php script by sending malicious HTTP POST requests. Organizations running OpenBMCS 2.4 with user management enabled are affected.

📋 TL;DR

CVE-2021-47701 is a privilege escalation vulnerability in OpenBMCS 2.4 that allows authenticated users with read-only permissions to elevate their privileges to administrative level. Attackers exploit a flaw in the update_user_permissions.php script by sending malicious HTTP POST requests. Organizations running OpenBMCS 2.4 with user management enabled are affected.

💻 Affected Systems

Products:

OpenBMCS

Versions: Version 2.4

Operating Systems: Any OS running OpenBMCS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user management functionality to be enabled and attacker needs at least read-only user access.

📦 What is this software?

Openbmcs by Openbmcs

View all CVEs affecting Openbmcs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where attackers gain administrative control, modify all user permissions, access sensitive data, and potentially execute arbitrary code on the server.

🟠

Likely Case

Attackers escalate privileges to admin level, modify other user accounts, access confidential information, and maintain persistent access to the system.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and monitoring that detects privilege escalation attempts.

🌐 Internet-Facing: HIGH - If OpenBMCS is exposed to the internet, attackers can exploit this vulnerability remotely after obtaining any user credentials.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts can exploit this to gain administrative privileges within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated access but is simple to execute with publicly available proof-of-concept code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 2.5 or later

Vendor Advisory: https://github.com/openbmcs/openbmcs/releases

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download OpenBMCS 2.5 or later from official repository. 3. Replace existing installation with patched version. 4. Restart OpenBMCS service. 5. Verify user permissions are correctly configured.

🔧 Temporary Workarounds

Restrict access to useradmin plugin

all

Block or restrict access to the vulnerable /plugins/useradmin/ directory

# For Apache: add to .htaccess or virtual host config
<Location "/plugins/useradmin/">
    Deny from all
</Location>
# For Nginx: add to server block
location /plugins/useradmin/ {
    deny all;
}

Implement strict input validation

all

Add input validation to update_user_permissions.php script

# Add to update_user_permissions.php before processing POST data
if (!isset($_SESSION['admin']) || $_SESSION['admin'] !== true) {
    http_response_code(403);
    exit('Access denied');
}

🧯 If You Can't Patch

Implement strict network access controls to limit who can access the OpenBMCS interface
Enable detailed logging and monitoring for privilege escalation attempts and user permission changes

🔍 How to Verify

Check if Vulnerable:

Check if running OpenBMCS version 2.4 by examining version files or web interface. Test by attempting to access /plugins/useradmin/update_user_permissions.php with a non-admin account.

Check Version:

grep -r 'version' /path/to/openbmcs/ | grep -i '2.4' || cat /path/to/openbmcs/VERSION

Verify Fix Applied:

After patching, verify version is 2.5 or later. Test that non-admin users cannot modify user permissions via the update_user_permissions.php script.

📡 Detection & Monitoring

Log Indicators:

POST requests to /plugins/useradmin/update_user_permissions.php from non-admin users
User permission changes from non-admin accounts
Multiple failed permission modification attempts

Network Indicators:

HTTP POST requests to vulnerable endpoint with permission modification parameters
Unusual user agent strings or source IPs accessing useradmin endpoints

SIEM Query:

source="web_logs" AND (url="/plugins/useradmin/update_user_permissions.php" OR url CONTAINS "useradmin") AND (user_role!="admin" OR user="readonly") AND http_method="POST"

📊 Metadata

CVE ID: CVE-2021-47701

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

EPSS Score: 0.1% exploit probability (28.5th percentile)

Published: December 9, 2025

Last Updated: December 17, 2025

🔗 References

https://www.exploit-db.com/exploits/50669 Exploit,Third Party Advisory,VDB Entry
https://www.vulncheck.com/advisories/openbmcs-user-management-privilege-escalation Third Party Advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5693.php Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47701, you might also want to check these: