Threats / Acclaim Systems / CVE-2021-44207
CVE-2021-44207
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Acclaim Systems USAHERDS vulnerability
Acclaim Systems USAHERDS contains hard-coded credentials (CWE-798) enabling remote code execution. The vulnerability has been exploited in the wild.
Verdict
Today item — known-exploited.
An attacker with network access can leverage hard-coded credentials to authenticate to USAHERDS and execute arbitrary code on the host system, provided the MachineKey is obtained through a separate vulnerability or channel.
01
Is it exploitable?
— the evidence, ranked above the scoreReported exploitation
3 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2024-12-23).
Probability (EPSS)
EPSS 0.17578 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Acclaim Systems, USAHERDS. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-798 Hard-coded Credentials — weakness family: Authentication.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I discover or obtain the hard-coded credentials embedded in the USAHERDS application.
Business
Credential exposure indicates inadequate secrets management and increases risk of unauthorized system access.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I use the hard-coded credentials to authenticate to the USAHERDS application interface.
Business
Unauthorized authentication bypasses access controls and grants attacker trusted application privileges.
3
Lateral reach — past segmentation narrative 3
Attacker
I obtain the MachineKey through a separate vulnerability or side channel to complete exploitation.
Business
Multi-stage exploitation compounds the attack surface and indicates systemic security gaps in the application architecture.
4
Data at risk — exfiltration narrative 4
Attacker
I execute arbitrary code on the system running USAHERDS with application-level privileges.
Business
Remote code execution enables data theft, system compromise, lateral movement, and operational disruption of livestock management infrastructure.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05