CVE-2021-27132
published 2021-02-27CVE-2021-27132: SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.69%
96.6th percentile
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sercomm | agcombo_vd625_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/test.txt%0d%0aSet-Cookie:CRLFInjection=Test%0d%0aLocation:%20interact.sh%0d%0aX-XSS-Protection:0↗
- →Detect CRLF injection attempt in HTTP request path: look for %0d%0a sequences in the URL targeting the download function, followed by injected headers such as Set-Cookie, Location, and X-XSS-Protection. ↗
- →Confirm exploitation by checking HTTP response headers simultaneously containing 'Content-Disposition: attachment;filename=test.txt', 'Set-Cookie:CRLFInjection=Test', 'Location: interact.sh', and 'X-XSS-Protection:0' with a 404 status code. ↗
- →The vulnerable injection point is the Content-Disposition header in the download function of Sercomm AGCOMBO VD625 firmware AGSOT_2.1.0. Monitor for CRLF sequences (%0d%0a or \r\n) injected into this header. ↗
- ·The vulnerability is specific to Sercomm AGCOMBO VD625 devices running firmware version AGSOT_2.1.0 only. Detection rules should be scoped to this CPE to avoid false positives. ↗
- ·No authentication is required to exploit this vulnerability (PR:N, UI:N), meaning it is remotely exploitable by unauthenticated attackers. Detection should not filter on authenticated sessions. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Sercomm VD625 Smart Modems - CRLF Injection
nuclei·CVSS 9.8
CVE-2021-27132 [CRITICAL] Sercomm VD625 Smart Modems - CRLF Injection
Sercomm VD625 Smart Modems - CRLF Injection
Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to Carriage Return Line Feed (CRLF) injection via the Content-Disposition header.
Template:
id: CVE-2021-27132
info:
name: Sercomm VD625 Smart Modems - CRLF Injection
author: geeknik
severity: critical
description: Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to Carriage Return Line Feed (CRLF) injection via the Content-Disposition header.
impact: |
Successful exploitation of this vulnerability could lead to various attacks, including session hijacking, cross-site scripting (XSS), and cache poisoning.
remediation: |
Apply the latest firmware update provided by the vendor to mitigate this vulnerability.
reference:
- https:
No writeups or analysis indexed.
2021-02-27
Published