CVE-2021-27710

CWE-78OS Command Injection3 documents3 sources
Severity
9.8CRITICAL
EPSS
20.2%
top 4.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Totolink A720r FirmwareTotolink X5000r Firmware
Timeline
PublishedApr 14
Latest updateMay 24

Description

Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system function with untrusted input. In the function, "ip" parameter is directly passed to the attacker, allowing them to control the "ip" field to attack the OS.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDtotolink/a720r_firmware4.1.5cu.470_b20200911
NVDtotolink/x5000r_firmware9.1.0u.6118_b20201102

🔴Vulnerability Details

2
GHSA
GHSA-3r94-2jfp-h3m7: Command Injection in TOTOLINK X5000R router with firmware v92022-05-24
CVEList
CVE-2021-27710: Command Injection in TOTOLINK X5000R router with firmware v92021-04-14
CVE-2021-27710 (CRITICAL CVSS 9.8) | Command Injection in TOTOLINK X5000 | cvebase.io