Evolution CMS RCE (CVE-2021-47939) Allows Authenticated Code Execution
The National Vulnerability Database highlights CVE-2021-47939, a high-severity remote code execution (RCE) vulnerability in Evolution CMS version 3.1.6. This flaw, rated 8.8 CVSSv3.1, allows authenticated users with module creation permissions to inject and execute arbitrary PHP code within module parameters. This isn’t some complex exploit chain; it’s a direct code injection.
Attackers can leverage this by sending crafted POST requests to /manager/index.php. By embedding malicious PHP code into the ‘post’ parameter, they can create modules that execute arbitrary system commands when invoked. This bypasses typical defenses because it’s a feature abuse, not a protocol exploit. It’s a classic case of improper input validation leading to dangerous consequences.
The implications are clear: if an attacker gains even low-level authenticated access to an Evolution CMS instance, they can escalate to full system compromise. Defenders need to recognize that ‘authenticated’ doesn’t mean ‘safe’ when the authentication mechanism itself grants too much power or is vulnerable to bypass. Audit your user permissions rigorously and ensure no unnecessary module creation rights are granted, especially to less trusted accounts.
What This Means For You
- If your organization uses Evolution CMS, especially version 3.1.6 or earlier, you need to immediately verify your version and patch to a secure release. More critically, audit all user accounts with module creation permissions. Revoke these rights unless absolutely necessary and implement least privilege. An attacker only needs one compromised credential to take over your system.
Related ATT&CK Techniques
🛡️ Detection Rules
4 rules · 6 SIEM formats4 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Web Application Exploitation Attempt — CVE-2021-47939
title: Web Application Exploitation Attempt — CVE-2021-47939
id: scw-2026-05-10-1
status: experimental
level: high
description: |
Detects common exploitation patterns targeting web applications. Review CVE-2021-47939 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-05-10
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2021-47939/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '..'
- 'SELECT'
- 'UNION'
- '<script'
- 'cmd='
- '/etc/passwd'
condition: selection
falsepositives:
- Legitimate activity from CVE-2021-47939
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2021-47939 | RCE | Evolution CMS 3.1.6 |
| CVE-2021-47939 | RCE | Authenticated users with module creation permissions |
| CVE-2021-47939 | RCE | PHP code injection into module parameters |
| CVE-2021-47939 | RCE | POST request to /manager/index.php with malicious PHP code in 'post' parameter |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 10, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Aero CMS 0.0.1 Vulnerability Allows Authenticated PHP Code Injection
CVE-2022-50944 — Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through...
CyberPanel 2.1 RCE via Symlink Attack (CVE-2021-47949)
CVE-2021-47949 — CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks...
TextPattern CMS RCE (CVE-2021-47943) Allows Authenticated Attackers to Execute Commands
CVE-2021-47943 — TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through...