CVE-2021-23241
published 2021-01-07CVE-2021-23241: MERCUSYS Mercury X18G 1.0.5 devices allow Directory Traversal via ../ in conjunction with a loginLess or login.htm URI (for authentication bypass) to the web…
PriorityP350medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
13.44%
96.0th percentile
MERCUSYS Mercury X18G 1.0.5 devices allow Directory Traversal via ../ in conjunction with a loginLess or login.htm URI (for authentication bypass) to the web server, as demonstrated by the /loginLess/../../etc/passwd URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mercusys | mercury_x18g_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/loginLess/../../etc/passwd
yara
regex: root:.*:0:0:
- →Send an unauthenticated HTTP GET request to the path /loginLess/../../etc/passwd on the target device. A successful exploitation returns HTTP 200 with a body matching 'root:.*:0:0:', indicating /etc/passwd was read.
- →Authentication bypass is achieved by using the 'loginLess' or 'login.htm' URI prefix in conjunction with directory traversal sequences (../) to access arbitrary files without credentials. ↗
- ·Vulnerability is confirmed only on MERCUSYS Mercury X18G firmware version 1.0.5; other versions are not confirmed affected.
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
MERCUSYS Mercury X18G 1.0.5 Router - Local File Inclusion
nuclei·CVSS 5.3
CVE-2021-23241 [MEDIUM] MERCUSYS Mercury X18G 1.0.5 Router - Local File Inclusion
MERCUSYS Mercury X18G 1.0.5 Router - Local File Inclusion
MERCUSYS Mercury X18G 1.0.5 devices are vulnerable to local file inclusion via ../ in conjunction with a loginLess or login.htm URI (for authentication bypass) to the web server, as demonstrated by the /loginLess/../../etc/passwd URI.
Template:
id: CVE-2021-23241
info:
name: MERCUSYS Mercury X18G 1.0.5 Router - Local File Inclusion
author: daffainfo
severity: medium
description: MERCUSYS Mercury X18G 1.0.5 devices are vulnerable to local file inclusion via ../ in conjunction with a loginLess or login.htm URI (for authentication bypass) to the web server, as demonstrated by the /loginLess/../../etc/passwd URI.
impact: |
An attacker can exploit this vulnerability to access sensitive information, such as configuration files, creden
No writeups or analysis indexed.
https://github.com/BATTZION/MY_REQUEST/blob/master/Mercury%20Router%20Web%20Server%20Directory%20Traversal.mdhttps://www.mercurycom.com.cn/product-521-1.htmlhttps://www.mercusys.com/en/https://github.com/BATTZION/MY_REQUEST/blob/master/Mercury%20Router%20Web%20Server%20Directory%20Traversal.mdhttps://www.mercurycom.com.cn/product-521-1.htmlhttps://www.mercusys.com/en/
2021-01-07
Published