ImpressCMS 1.4.2 RCE: Authenticated Attackers Can Execute Arbitrary Code
The National Vulnerability Database has detailed CVE-2021-47938, a high-severity remote code execution (RCE) vulnerability within ImpressCMS version 1.4.2. This flaw resides in the autotasks administrative interface, allowing authenticated attackers to inject malicious PHP code into the sat_code parameter. The CVSS score for this vulnerability is 8.8 (HIGH), with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating that it’s easily exploitable over the network with low privileges, leading to complete compromise of confidentiality, integrity, and availability.
Attackers leverage this by submitting a POST request to /modules/system/admin.php?fct=autotasks&op=mod with specially crafted sat_code containing PHP commands. This action creates an executable file on the server that subsequently accepts arbitrary commands via GET parameters. The critical aspect here is the authenticated access requirement; however, a compromised low-privilege account is all an attacker needs to escalate to full system control.
This is a classic CWE-94 ‘Improper Control of Generation of Code (‘Code Injection’)’ scenario. For defenders, the implication is clear: if an attacker gains even basic administrative credentials for ImpressCMS, they effectively own the server. The low complexity and network-based vector make this a prime target for lateral movement once initial access is achieved.
What This Means For You
- If your organization uses ImpressCMS, especially version 1.4.2, immediately verify if patches for CVE-2021-47938 have been applied. Audit your web server logs for any suspicious POST requests to `/modules/system/admin.php?fct=autotasks&op=mod` from unexpected IP addresses or unusual user accounts. Prioritize patching or upgrading to a secure version to mitigate this critical RCE.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2021-47938: ImpressCMS Authenticated RCE via autotasks
title: CVE-2021-47938: ImpressCMS Authenticated RCE via autotasks
id: scw-2026-05-10-ai-1
status: experimental
level: critical
description: |
Detects the specific POST request to the ImpressCMS autotasks administrative interface with the 'sat_code' parameter, which is used to exploit CVE-2021-47938 for arbitrary code execution.
author: SCW Feed Engine (AI-generated)
date: 2026-05-10
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2021-47938/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/modules/system/admin.php?fct=autotasks&op=mod'
cs-method:
- 'POST'
cs-uri-query|contains:
- 'sat_code='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2021-47938 | RCE | ImpressCMS 1.4.2 |
| CVE-2021-47938 | RCE | Vulnerable component: autotasks administrative interface |
| CVE-2021-47938 | RCE | Vulnerable parameter: sat_code |
| CVE-2021-47938 | RCE | POST request to /modules/system/admin.php?fct=autotasks&op=mod |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 10, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Aero CMS 0.0.1 Vulnerability Allows Authenticated PHP Code Injection
CVE-2022-50944 — Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through...
CyberPanel 2.1 RCE via Symlink Attack (CVE-2021-47949)
CVE-2021-47949 — CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks...
TextPattern CMS RCE (CVE-2021-47943) Allows Authenticated Attackers to Execute Commands
CVE-2021-47943 — TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through...