cbcvebase.
CVE-2021-27132
published 2021-02-27

CVE-2021-27132: SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.69%
96.6th percentile
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.

Affected

1 ranges
VendorProductVersion rangeFixed in
sercommagcombo_vd625_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/test.txt%0d%0aSet-Cookie:CRLFInjection=Test%0d%0aLocation:%20interact.sh%0d%0aX-XSS-Protection:0
cookieCRLFInjection=Test
  • Detect CRLF injection attempt in HTTP request path: look for %0d%0a sequences in the URL targeting the download function, followed by injected headers such as Set-Cookie, Location, and X-XSS-Protection.
  • Confirm exploitation by checking HTTP response headers simultaneously containing 'Content-Disposition: attachment;filename=test.txt', 'Set-Cookie:CRLFInjection=Test', 'Location: interact.sh', and 'X-XSS-Protection:0' with a 404 status code.
  • The vulnerable injection point is the Content-Disposition header in the download function of Sercomm AGCOMBO VD625 firmware AGSOT_2.1.0. Monitor for CRLF sequences (%0d%0a or \r\n) injected into this header.
  • ·The vulnerability is specific to Sercomm AGCOMBO VD625 devices running firmware version AGSOT_2.1.0 only. Detection rules should be scoped to this CPE to avoid false positives.
  • ·No authentication is required to exploit this vulnerability (PR:N, UI:N), meaning it is remotely exploitable by unauthenticated attackers. Detection should not filter on authenticated sessions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.