Scan free
CRITICALCVE-2021-21433CVSS 9.9

CVE-2021-21433: RCE in Discord-Recon Server

Platform

python

Component

discord-recon

Fixed in

0.0.2

AI Confidence: highNVDEPSS 5.4%Reviewed: May 2026
View on NVD
Save

CVE-2021-21433 describes a Remote Code Execution (RCE) vulnerability within Discord-Recon Server, a bot designed for reconnaissance tasks. This vulnerability allows unauthorized remote users to execute commands on the server, potentially leading to complete system compromise. The vulnerability affects versions of Discord-Recon Server up to and including 0.0.1, and a fix is available in version 0.0.2.

Python

Detect this CVE in your project

Upload your requirements.txt file and we'll tell you instantly if you're affected.

Upload requirements.txtSupported formats: requirements.txt · Pipfile.lock

Impact and Attack Scenarios

The impact of this RCE vulnerability is severe. An attacker exploiting this flaw gains the ability to execute arbitrary commands on the server hosting the Discord-Recon bot. This could lead to data exfiltration, malware installation, system takeover, and lateral movement within the network. Depending on the server's configuration and access privileges, the attacker could potentially compromise other systems connected to the same network. The bot's reconnaissance capabilities could also be abused to gather sensitive information about the target environment.

Exploitation Context

This vulnerability was publicly disclosed on April 9, 2021. While no active exploitation campaigns have been definitively linked to CVE-2021-21433, the ease of exploitation and the potential impact make it a high-priority target. No public proof-of-concept (PoC) code has been widely distributed, but the vulnerability's nature suggests that such code could be developed relatively easily. It is not listed on the CISA KEV catalog as of this writing.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

5.41% (90% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H9.9CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentdiscord-recon
VendorDEMON1A
Affected rangeFixed in
<= 0.0.1 – <= 0.0.10.0.2

Weakness Classification (CWE)

CWE-94

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2021-21433 is to immediately upgrade Discord-Recon Server to version 0.0.2 or later. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider isolating the affected server from the network to prevent potential exploitation. While a direct WAF rule is unlikely to be effective, monitoring server logs for suspicious command execution attempts is recommended. After upgrading, verify the fix by attempting to execute a command through the bot interface and confirming that it is rejected.

How to fix

Update the version of Discord-Recon to 0.0.2 or higher. This version fixes the remote code execution vulnerability due to improper input validation. You can update the package using pip: `pip install discord-recon==0.0.2`.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2021-21433 — Remote Code Execution in Discord-Recon Server?

CVE-2021-21433 is a critical RCE vulnerability affecting Discord-Recon Server versions 0.0.1 and earlier, allowing attackers to execute commands on the server.

Am I affected by CVE-2021-21433 in Discord-Recon Server?

You are affected if you are running Discord-Recon Server version 0.0.1 or earlier. Upgrade to version 0.0.2 to resolve the vulnerability.

How do I fix CVE-2021-21433 in Discord-Recon Server?

Upgrade Discord-Recon Server to version 0.0.2 or later. If immediate upgrade is not possible, isolate the server to prevent exploitation.

Is CVE-2021-21433 being actively exploited?

While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a potential target.

Where can I find the official Discord-Recon advisory for CVE-2021-21433?

Refer to the project's repository or documentation for the official advisory and release notes regarding the fix.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs