CVE-2021-47728 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2021-47728?

CVE-2021-47728 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary shell commands on Selea Targa IP OCR-ANPR cameras without authentication. Attackers can exploit command injection in the utils.php file to gain www-data user access and potentially full system control. Organizations using these cameras in security or surveillance systems are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary shell commands on Selea Targa IP OCR-ANPR cameras without authentication. Attackers can exploit command injection in the utils.php file to gain www-data user access and potentially full system control. Organizations using these cameras in security or surveillance systems are affected.

💻 Affected Systems

Products:

Selea Targa IP OCR-ANPR Camera

Versions: Specific versions not publicly documented, but likely multiple firmware versions

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration; no special settings required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install persistent backdoors, exfiltrate surveillance footage, pivot to internal networks, or disable security systems entirely.

🟠

Likely Case

Attackers gain www-data user access to execute commands, potentially accessing camera feeds, modifying configurations, or using the device as a foothold for further attacks.

🟢

If Mitigated

If properly segmented and monitored, impact limited to isolated camera system with no network access to critical assets.

🌐 Internet-Facing: HIGH - Unauthenticated remote code execution on internet-exposed surveillance cameras creates significant security and privacy risks.

🏢 Internal Only: MEDIUM - While less exposed, internal attackers or malware could still exploit this to pivot through networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on Exploit-DB (ID 49460) with working proof-of-concept; exploitation requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.selea.com

Restart Required: No

Instructions:

Check Selea website for security advisories and firmware updates. If available, download latest firmware and follow vendor update procedures.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate cameras in separate VLAN with strict firewall rules blocking all inbound internet access and limiting internal communication.

Web Interface Restriction

all

Block access to camera web interface from untrusted networks using firewall rules or reverse proxy with authentication.

🧯 If You Can't Patch

Immediately remove cameras from internet exposure and place behind strict firewall with only necessary outbound connectivity
Implement network monitoring for unusual outbound connections or command execution patterns from camera IPs

🔍 How to Verify

Check if Vulnerable:

Check if camera responds to exploitation attempts targeting /utils.php with addr/port parameter injection, or review firmware version against vendor advisories.

Check Version:

Check firmware version via camera web interface under System > Information or similar menu

Verify Fix Applied:

Test exploitation attempts after applying vendor patches; successful exploitation should no longer work.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to utils.php with shell metacharacters in parameters
Command execution patterns in system logs
Unexpected processes running as www-data

Network Indicators:

Outbound connections from camera to unexpected destinations
Unusual traffic patterns from camera IP

SIEM Query:

source="camera_logs" AND (url="/utils.php" AND (param="addr" OR param="port") AND value MATCHES "[;|&`$()]"))

📊 Metadata

CVE ID: CVE-2021-47728

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 1.16% exploit probability (78.3th percentile)

Published: December 9, 2025

Last Updated: February 23, 2026

🔗 References

https://github.com/zeroscience Not Applicable
https://www.exploit-db.com/exploits/49460 Exploit
https://www.selea.com Product
https://www.vulncheck.com/advisories/selea-targa-ip-camera-remote-code-execution-via-utils Third Party Advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5620.php Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47728, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Carplateserver by Selea

Carplateserver by Selea

Carplateserver by Selea

Carplateserver by Selea

Izero Box Full Firmware by Selea

Izero Column Entry\/8 Firmware by Selea

Izero Column Full\/8 Firmware by Selea

Targa 504 Firmware by Selea

Targa 512 Firmware by Selea

Targa 704 Ilb Firmware by Selea

Targa 704 Tkm Firmware by Selea

Targa 710 Inox Firmware by Selea

Targa 750 Firmware by Selea

Targa 805 Firmware by Selea

Targa Semplice Firmware by Selea

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Web Interface Restriction

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities