cbcvebase.
CVE-2021-28149
published 2021-05-06

CVE-2021-28149: Hongdian H8922 3.0.5 devices allow Directory Traversal. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with…

PriorityP277medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
13.75%
96.0th percentile
Hongdian H8922 3.0.5 devices allow Directory Traversal. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file.

Affected

1 ranges
VendorProductVersion rangeFixed in
hongdianh8922_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/log_download.cgi?type=../../etc/passwd
path/log_download.cgi
regexroot:.*:0:0:
regexsshd:[x*]
regexroot:[$]
  • Look for HTTP GET requests to /log_download.cgi with a 'type' parameter containing path traversal sequences (../../) in the query string.
  • Successful exploitation returns HTTP 200 with Content-Type header 'application/octet-stream' and body matching /etc/passwd patterns (e.g., root:.*:0:0:).
  • Probe uses default credentials: guest:guest (Base64: Z3Vlc3Q6Z3Vlc3Q=) and admin:admin (Base64: YWRtaW46YWRtaW4=) via HTTP Basic Authorization header.
  • ·Vulnerability is specific to Hongdian H8922 firmware version 3.0.5; other versions may not be affected.
  • ·Exploitation requires at minimum low-privilege authenticated access (e.g., guest credentials); unauthenticated access alone is insufficient.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.