cbcvebase.
CVE-2021-20150
published 2021-12-30

CVE-2021-20150: Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. Authentication can be bypassed and a user…

PriorityP347medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
40.06%
98.5th percentile
Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. Authentication can be bypassed and a user may view information as Admin by manually browsing to the setup wizard and forcing it to redirect to the desired page.

Affected

1 ranges
VendorProductVersion rangeFixed in
trendnettew-827dru_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/apply_sec.cgi
commandaction=setup_wizard_cancel&html_response_page=ftpserver.asp&html_response_return_page=ftpserver.asp
path/apply_sec.cgi
  • HTTP POST to /apply_sec.cgi with body containing 'action=setup_wizard_cancel' and redirect to 'ftpserver.asp' is the exploit trigger for CVE-2021-20150; a 200 OK response containing 'ftp_username', 'ftp_password', 'ftp_permission', and 'TEW-827DRU' in the body confirms successful credential disclosure.
  • Response body containing all four strings — 'ftp_username', 'ftp_password', 'ftp_permission', and 'TEW-827DRU' — with a Content-Type of 'text/html' and HTTP 200 status indicates successful exploitation.
  • Shodan/FOFA fingerprinting: devices with HTML body containing 'TEW-827DRU' or 'tew-827dru' are candidate targets for this vulnerability.
  • ·The vulnerability is specific to firmware version 2.08B01 of the Trendnet TEW-827DRU (CPE: cpe:2.3:o:trendnet:tew-827dru_firmware:2.08b01). Exploitation against other firmware versions is not confirmed.
  • ·The exploit requires no authentication (CWE-306) and is network-accessible (AV:N), meaning any unauthenticated remote attacker can trigger the setup wizard redirect to disclose FTP credentials.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.