cbcvebase.
CVE-2021-21745
published 2021-10-20

CVE-2021-21745: ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal…

PriorityP277medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
55.71%
98.9th percentile
ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click.

Affected

6 ranges
VendorProductVersion rangeFixed in
ztemf971r_firmware
ztemf971r_firmware
ztemf971r_firmware
ztemf971r_firmware
ztemf971r_firmware
ztemf971r_firmware

Detection & IOCsextracted from sources · hover to see the quote

hashB2176B393A97B5BA13791FC591D2BE3F
hashbf5ada32c9e8c815bfd51bfb5b8391cb
url/goform/goform_get_cmd_process?cmd=psw_fail_num_str
otherReferer: http://interact.sh/127.0.0.1.html
filenamezte_topsw_goahead
snort
57749, 57750, 57751, 57752, 57798, 57799, 57802, 57803, 57829
  • Exploit traffic targets the endpoint GET /goform/goform_get_cmd_process?cmd=psw_fail_num_str with a spoofed/crafted Referer header to bypass CSRF/Referer authentication checks on ZTE MF971R routers.
  • A successful exploit response contains the JSON key 'psw_fail_num_str' with a numeric value; match regex psw_fail_num_str":"[0-9] in the HTTP response body with status 200.
  • CVE-2021-21745 is chained with CVE-2021-21748 (pre-auth stack-based buffer overflow) to achieve unauthenticated RCE; detection of the Referer bypass alone may indicate a staged attack leading to full device compromise.
  • Exploitation requires the victim to visit a malicious website; monitor for drive-by HTTP requests originating from user browsers targeting the router's /goform/ endpoint.
  • ·Vulnerable firmware versions are specifically identified; only these versions are confirmed exploitable by Talos testing.
  • ·Snort rules may change over time; always consult Firepower Management Center or Snort.org for the most current rule definitions.

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.