cbcvebase.
CVE-2021-20090
published 2021-04-29

CVE-2021-20090: A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
99.98%
100.0th percentile
A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.

Affected

4 ranges
VendorProductVersion rangeFixed in
buffalowsr-2533dhp3-bk_firmware<= 1.24
buffalowsr-2533dhpl2-bk_firmware<= 1.02
kpnexperia_wifi_firmware
telusprv65b444a-s-ts_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<host>/images/..%2findex.htm
urlhttp://<host>/js/..%2findex.htm
urlhttp://<host>/css/..%2findex.htm
path/images/..%2fapply_abstract.cgi
path/images/..%2finfo.html
path/images/..%2fsystem_p.htm
path/images/..%2fcgi/cgi_sys_p.js
path/images/..%2fcgi/cgi_i_filter.js
commandcurl --include -X POST http://<host>/apply_abstract.cgi -H "Referer: http://<host>/ping.html" --data "action=start_ping&httoken=<token>&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=%0AARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4"
commandaction=start_ping&httoken=<token>&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=127.0.0.1%0AARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4
otherARC_ping_ipaddress=%0AARC_SYS_TelnetdEnable=1
cookielang=8; url=ping.html; mobile=false;
  • Path traversal bypass uses URL-encoded sequences (..%2f) within known static asset directories (/images/, /js/, /css/) to reach authenticated pages without credentials. Detect HTTP requests containing these patterns in the URI.
  • POST requests to /apply_abstract.cgi (or path-traversal equivalent /images/..%2fapply_abstract.cgi) with parameter ARC_SYS_TelnetdEnable=1 indicate exploitation to enable Telnet backdoor.
  • Response from /cgi/cgi_i_filter.js containing '/*DEMO*/' and 'addCfg(' strings indicates successful unauthenticated access to device configuration via path traversal (CVE-2021-20092 / CVE-2021-20090 chain).
  • HTTP response header 'Server: Arcadyan httpd 1.0' identifies affected firmware. Use this banner to fingerprint vulnerable devices during scanning.
  • Redirect to /Success.htm (HTTP 302) after POST to apply_abstract.cgi confirms successful configuration injection exploitation.
  • The httoken CSRF token on these devices is embedded in the DOM as a Base64-encoded value. Requests using a valid httoken obtained via unauthenticated path traversal to loginerror.html or system_p.htm indicate exploitation.
  • CVE-2021-20090 can be chained with CVE-2021-38703 (syslog config injection on Arcadyan-derived firmware) to achieve RCE. Detect both CVEs together in network traffic.
  • ·The bypass authentication list (static asset directories: /images/, /js/, /css/) varies slightly per device model/vendor. The exact set of bypassable paths must be confirmed per target firmware.
  • ·CVE-2021-20091 and CVE-2021-20092 (configuration injection and improper access control) have only been confirmed on Buffalo WSR-2533 models, while CVE-2021-20090 affects the broader Arcadyan firmware supply chain across at least 13 ISPs.
  • ·Certain CGI files under /cgi/ require both a valid httoken and a valid Referer header; if the Referer contains the ..%2f traversal string it will cause an error, requiring proxy match/replace to work around this.
  • ·The HughesNet HT2000W exploit uses a Vigenere cipher with hardcoded key 'wg7005d' to encode the password before submission; this is device-specific and may not apply to other Arcadyan-based devices.
  • ·The HughesNet HT2000W default web portal IP is 192.168.42.1; other Arcadyan-based devices may use different default gateway IPs (e.g., 192.168.11.1 seen in PoC for Buffalo).

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.