OpenCATS unauthenticated RCE (CVE-2021-47936)

Patch now - CVE-2021-47936 is a critical unauthenticated remote code execution vulnerability in OpenCATS 0.9.4 that lets attackers upload arbitrary PHP files disguised as resume attachments and execute system commands. No vendor patch is available; users must apply immediate mitigations.

Overview

CVE-2021-47936 affects OpenCATS version 0.9.4, an open-source applicant tracking system. The vulnerability resides in the careers job application endpoint, which allows unauthenticated file uploads. Attackers can upload a malicious PHP file (e.g., a web shell) disguised as a resume document (.doc, .pdf). Once uploaded, the file resides in the application’s uploads directory. The attacker can then send a POST request directly to that file, causing the PHP code to execute on the server. The CVSS score of 9.8 reflects the low attack complexity and the fact that no authentication or user interaction is required.

Impact

Successful exploitation grants an unauthenticated attacker full remote code execution with the privileges of the web server user. This typically means the attacker can:

• Read, modify, or delete application data and configuration files.
• Execute arbitrary system commands to enumerate the environment.
• Use the compromised server as a foothold for lateral movement within the internal network.
• Deface the application or deploy ransomware.

Because the attacker gains shell-level access, the impact can compromise the confidentiality, integrity, and availability of the entire host server.

Remediation and Mitigation

As of this writing, no official patch has been released for OpenCATS 0.9.4. Until a fix is provided, apply the following mitigations:

1. Disable the careers module if your deployment does not require unauthenticated job applications. This removes the vulnerable upload endpoint.
2. Restrict the uploads directory to prevent PHP execution. Use web server configuration (.htaccess for Apache, location blocks for Nginx) to deny access to .php files in the upload directory.
3. Implement a WAF rule (e.g., ModSecurity) to block file uploads with double extensions or PHP content types.
4. Monitor access logs for POST requests to recently uploaded PHP files in the upload path.

If you must keep the module online, consider using a containerized deployment with read-only filesystem permissions.

Security Insight

This vulnerability is a textbook case of an insecure file upload function lacking validation - a common pattern in older open-source HR and recruitment applications. CVE-2021-47936 highlights the risk of allowing unauthenticated file uploads without strict content-type verification or sandboxing. For threat intelligence on similar recruitment-platform RCEs, see related breach reports and security news.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs