CVE-2021-27856
published 2021-12-15CVE-2021-27856: FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 includes an account named "cmuser" that has administrative privileges and…
PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.60%
91.9th percentile
FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 includes an account named "cmuser" that has administrative privileges and no password. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA002.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fatpipe | ipvpn | >= 10.1 < 10.1.2r60p91 | 10.1.2r60p91 |
| fatpipe | ipvpn | >= 10.2 < 10.2.2r42 | 10.2.2r42 |
| fatpipe | mpvpn | >= 10.1 < 10.1.2r60p91 | 10.1.2r60p91 |
| fatpipe | mpvpn | >= 10.2 < 10.2.2r42 | 10.2.2r42 |
| fatpipe | warp | >= 10.1 < 10.1.2r60p91 | 10.1.2r60p91 |
| fatpipe | warp | >= 10.2 < 10.2.2r42 | 10.2.2r42 |
| fatpipeinc | ipvpn_firmware | — | — |
| fatpipeinc | ipvpn_firmware | — | — |
| fatpipeinc | ipvpn_firmware | — | — |
| fatpipeinc | ipvpn_firmware | — | — |
| fatpipeinc | ipvpn_firmware | — | — |
| fatpipeinc | ipvpn_firmware | — | — |
| fatpipeinc | mpvpn_firmware | — | — |
| fatpipeinc | mpvpn_firmware | — | — |
| fatpipeinc | mpvpn_firmware | — | — |
| fatpipeinc | mpvpn_firmware | — | — |
| fatpipeinc | mpvpn_firmware | — | — |
| fatpipeinc | mpvpn_firmware | — | — |
| fatpipeinc | warp_firmware | — | — |
| fatpipeinc | warp_firmware | — | — |
| fatpipeinc | warp_firmware | — | — |
| fatpipeinc | warp_firmware | — | — |
| fatpipeinc | warp_firmware | — | — |
| fatpipeinc | warp_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherloginParams=%7B%22username%22%3A%22cmuser%22%2C%22password%22%3A%22%22%2C%22authType%22%3A0%7D↗
- →Detect exploitation attempts by monitoring POST requests to /fpui/loginServlet with the backdoor username 'cmuser' and an empty password field in the body. ↗
- →A successful exploitation response will return HTTP 200 with Content-Type application/json and a body containing both '"loginRes":"success"' and '"activeUserName":"cmuser"'. ↗
- →Flag any successful login (HTTP 200 + JSON success response) to /fpui/loginServlet originating from an external/untrusted source, as the exploit requires no authentication. ↗
- ·Affected versions are FatPipe WARP, IPVPN, and MPVPN prior to 10.1.2r60p91 and 10.2.2r42; older versions may also be vulnerable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8235-wx5q-8wrv: FatPipe WARP, IPVPN, and MPVPN software prior to versions 10
ghsa_unreviewed·2021-12-16
CVE-2021-27856 [CRITICAL] CWE-862 GHSA-8235-wx5q-8wrv: FatPipe WARP, IPVPN, and MPVPN software prior to versions 10
FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 includes an account named "cmuser" that has administrative privileges and no password. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA002.
VulnCheck
FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 "cmuser" Backdoor Account
vulncheck·2021·CVSS 9.8
CVE-2021-27856 [CRITICAL] FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 "cmuser" Backdoor Account
FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 "cmuser" Backdoor Account
FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 includes an account named "cmuser" that has administrative privileges and no password. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA002.
Affected: FatPipe ipvpn_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.linkedin.com/pulse/how-i-hacked-group-hackers-operating-nigerian-banks-tale-sennaike/; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2021-27856&d
No detection rules found.
Nuclei
FatPipe WARP/IPVPN/MPVPN - Backdoor Account
nuclei·CVSS 9.8
CVE-2021-27856 [CRITICAL] FatPipe WARP/IPVPN/MPVPN - Backdoor Account
FatPipe WARP/IPVPN/MPVPN - Backdoor Account
FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 contain an account named "cmuser" with administrative privileges and no password, letting attackers gain unauthorized admin access, exploit requires no authentication.
Template:
id: CVE-2021-27856
info:
name: FatPipe WARP/IPVPN/MPVPN - Backdoor Account
author: gy741
severity: critical
description: |
FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 contain an account named "cmuser" with administrative privileges and no password, letting attackers gain unauthorized admin access, exploit requires no authentication.
impact: |
Unauthenticated attackers can gain unauthorized administrative access via a backdoor account with no pa
No writeups or analysis indexed.
https://www.fatpipeinc.com/support/cve-list.phphttps://www.zeroscience.mk/codes/fatpipe_backdoor.txthttps://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.phphttps://www.fatpipeinc.com/support/cve-list.phphttps://www.zeroscience.mk/codes/fatpipe_backdoor.txthttps://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php
2021-12-15
Published
Exploited in the wild