CVE-2021-22909
published 2021-05-27CVE-2021-22909: A vulnerability found in EdgeMAX EdgeRouter V2.0.9 and earlier could allow a malicious actor to execute a man-in-the-middle (MitM) attack during a firmware…
PriorityP337high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
EPSS
1.29%
66.7th percentile
A vulnerability found in EdgeMAX EdgeRouter V2.0.9 and earlier could allow a malicious actor to execute a man-in-the-middle (MitM) attack during a firmware update. This vulnerability is fixed in EdgeMAX EdgeRouter V2.0.9-hotfix.1 and later.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ui | edgemax_edgerouter_firmware | <= 2.0.9 | — |
| ui | edgemax_edgerouter_firmware | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
CWE
Download of Code Without Integrity Check
mitre_cwe
CWE-494 Download of Code Without Integrity Check
CWE-494: Download of Code Without Integrity Check
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit.
Modes of Introduction:
Phase: Architecture and Design
Note: OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Phase: Implementation
Common Consequences:
Scope: Integrity, Availability, Confidentiality, Other. Impact: Execute Unauthorized Code or Commands, Alter Execution Logic, Other. Executing untrusted code could compromise the control flow of the program. The untrusted code could execute a
CWE
Improper Certificate Validation
mitre_cwe
CWE-295 Improper Certificate Validation
CWE-295: Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.
Background: A certificate is a token that associates an identity (principal) to a cryptographic key. Certificates can be used to check if a public key belongs to the assumed owner.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Phase: Implementation
Note: When the product uses certificate pinning, the developer might not properly validate all relevant components of the certificate before pinning the certificate. This can make it difficult or expensive to test after the pinning is complete.
Common Consequences:
Scope: Integrity, Authentication. Im
CWE
Incorrect Resource Transfer Between Spheres
mitre_cwe
CWE-669 Incorrect Resource Transfer Between Spheres
CWE-669: Incorrect Resource Transfer Between Spheres
The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Background: A "control sphere" is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for "administrators" who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be "users who are authenticated to the operating
2021-05-27
Published