cbcvebase.
CVE-2021-27856
published 2021-12-15

CVE-2021-27856: FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 includes an account named "cmuser" that has administrative privileges and…

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.60%
91.9th percentile
FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 includes an account named "cmuser" that has administrative privileges and no password. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA002.

Affected

24 ranges
VendorProductVersion rangeFixed in
fatpipeipvpn>= 10.1 < 10.1.2r60p9110.1.2r60p91
fatpipeipvpn>= 10.2 < 10.2.2r4210.2.2r42
fatpipempvpn>= 10.1 < 10.1.2r60p9110.1.2r60p91
fatpipempvpn>= 10.2 < 10.2.2r4210.2.2r42
fatpipewarp>= 10.1 < 10.1.2r60p9110.1.2r60p91
fatpipewarp>= 10.2 < 10.2.2r4210.2.2r42
fatpipeincipvpn_firmware
fatpipeincipvpn_firmware
fatpipeincipvpn_firmware
fatpipeincipvpn_firmware
fatpipeincipvpn_firmware
fatpipeincipvpn_firmware
fatpipeincmpvpn_firmware
fatpipeincmpvpn_firmware
fatpipeincmpvpn_firmware
fatpipeincmpvpn_firmware
fatpipeincmpvpn_firmware
fatpipeincmpvpn_firmware
fatpipeincwarp_firmware
fatpipeincwarp_firmware
fatpipeincwarp_firmware
fatpipeincwarp_firmware
fatpipeincwarp_firmware
fatpipeincwarp_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/fpui/loginServlet
otherloginParams=%7B%22username%22%3A%22cmuser%22%2C%22password%22%3A%22%22%2C%22authType%22%3A0%7D
othercmuser
  • Detect exploitation attempts by monitoring POST requests to /fpui/loginServlet with the backdoor username 'cmuser' and an empty password field in the body.
  • A successful exploitation response will return HTTP 200 with Content-Type application/json and a body containing both '"loginRes":"success"' and '"activeUserName":"cmuser"'.
  • Flag any successful login (HTTP 200 + JSON success response) to /fpui/loginServlet originating from an external/untrusted source, as the exploit requires no authentication.
  • ·Affected versions are FatPipe WARP, IPVPN, and MPVPN prior to 10.1.2r60p91 and 10.2.2r42; older versions may also be vulnerable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.