CVE-2021-47903
📋 TL;DR
CVE-2021-47903 is an authenticated command injection vulnerability in LiteSpeed Web Server Enterprise that allows authenticated administrators to execute arbitrary shell commands through the external app configuration interface. This enables remote code execution via path traversal and bash command injection. Organizations running vulnerable versions of LiteSpeed Web Server Enterprise with administrative access are affected.
💻 Affected Systems
- LiteSpeed Web Server Enterprise
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attacker to execute arbitrary commands as the web server user, potentially leading to data theft, lateral movement, or complete system takeover.
Likely Case
Authenticated attackers with administrative privileges can execute arbitrary commands, potentially gaining shell access, installing backdoors, or manipulating server configuration.
If Mitigated
With proper access controls limiting administrative privileges and network segmentation, impact is limited to authorized administrators only.
🎯 Exploit Status
Exploit requires authenticated administrative access. Public exploit code is available on Exploit-DB.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4.12 or later
Vendor Advisory: https://www.litespeedtech.com/
Restart Required: Yes
Instructions:
1. Download latest version from LiteSpeed website. 2. Backup current configuration. 3. Install updated version. 4. Restart LiteSpeed service.
🔧 Temporary Workarounds
Restrict Administrative Access
linuxLimit access to LiteSpeed administrative interface to trusted IP addresses only
# Configure firewall rules to restrict access to LiteSpeed admin port
# Example: iptables -A INPUT -p tcp --dport 7080 -s trusted_ip -j ACCEPT
# iptables -A INPUT -p tcp --dport 7080 -j DROP
Disable External App Configuration
allTemporarily disable or restrict external app configuration interface if not needed
# Edit LiteSpeed configuration to disable external app interface
# Check configuration files for external app settings
🧯 If You Can't Patch
- Implement strict network segmentation to isolate LiteSpeed servers from critical systems
- Enforce multi-factor authentication for all administrative accounts and monitor admin access logs
🔍 How to Verify
Check if Vulnerable:
Check LiteSpeed version via command line: /usr/local/lsws/bin/lshttpd -v or check admin interface versionCheck Version:
/usr/local/lsws/bin/lshttpd -vVerify Fix Applied:
Verify version is 5.4.12 or later and test command injection attempts are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns in LiteSpeed logs
- Multiple failed authentication attempts followed by successful admin login
- Suspicious commands in external app configuration logs
Network Indicators:
- Unusual outbound connections from LiteSpeed server
- Traffic to known malicious IPs from server
SIEM Query:
source="litespeed.log" AND ("Command" OR "external app" OR "shell") AND (suspicious_patterns)