CVE-2021-28149
published 2021-05-06CVE-2021-28149: Hongdian H8922 3.0.5 devices allow Directory Traversal. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with…
PriorityP277medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
13.75%
96.0th percentile
Hongdian H8922 3.0.5 devices allow Directory Traversal. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hongdian | h8922_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
regexroot:.*:0:0:
regexsshd:[x*]
regexroot:[$]
- →Look for HTTP GET requests to /log_download.cgi with a 'type' parameter containing path traversal sequences (../../) in the query string. ↗
- →Successful exploitation returns HTTP 200 with Content-Type header 'application/octet-stream' and body matching /etc/passwd patterns (e.g., root:.*:0:0:).
- →Probe uses default credentials: guest:guest (Base64: Z3Vlc3Q6Z3Vlc3Q=) and admin:admin (Base64: YWRtaW46YWRtaW4=) via HTTP Basic Authorization header.
- ·Vulnerability is specific to Hongdian H8922 firmware version 3.0.5; other versions may not be affected. ↗
- ·Exploitation requires at minimum low-privilege authenticated access (e.g., guest credentials); unauthenticated access alone is insufficient. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mcvc-q5xw-3pf6: Hongdian H8922 3
ghsa_unreviewed·2022-05-24
CVE-2021-28149 [MEDIUM] CWE-22 GHSA-mcvc-q5xw-3pf6: Hongdian H8922 3
Hongdian H8922 3.0.5 devices allow Directory Traversal. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file.
VulnCheck
hongdian h8922 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2021·CVSS 6.5
CVE-2021-28149 [MEDIUM] hongdian h8922 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
hongdian h8922 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Hongdian H8922 3.0.5 devices allow Directory Traversal. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file.
Affected: hongdian h8922
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https:
No detection rules found.
Nuclei
Hongdian H8922 3.0.5 Devices - Local File Inclusion
nuclei·CVSS 6.5
CVE-2021-28149 [MEDIUM] Hongdian H8922 3.0.5 Devices - Local File Inclusion
Hongdian H8922 3.0.5 Devices - Local File Inclusion
Hongdian H8922 3.0.5 devices are vulnerable to local file inclusion. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file.
Template:
id: CVE-2021-28149
info:
name: Hongdian H8922 3.0.5 Devices - Local File Inclusion
author: gy741
severity: medium
description: |
Hongdian H8922 3.0.5 devices are vulnerable to local file inclusion. The /log_download.cgi log export
Unit42
Network Security Trends: May-July 2021
blogs_unit42·2021-09-17
Network Security Trends: May-July 2021
## Executive Summary
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabilities in the real world. The following sections present our analysis of the most recently published vulnerabilities, including their severity and category distribution. Additionally, we provide insight into how the vulnerabilities are exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We highlight vulnerabilities ranked medium severity and above that were newly published from May-July 2021 in order to raise awareness of their active exploits in the wild. We then draw conclusions about the most commonly exploited vulnerabilities we observed attackers using, as well as the severity, category and
Unit42
Network Security Trends: May-July 2021
blogs_unit42·2021-09-17
Network Security Trends: May-July 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: May-July 2021
Yue Guan
Lei Xu
Published: September 17, 2021
Malware
Trend Reports
Vulnerabilities
Attack analysis
Exploit
Exploit in the wild
Network security trends
## Executive Summary
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabilities in the real world. The following sections present our analysis of the most recently published vulnerabilities, including their severity and category distribution. Additionally, we provide insight into how the vulnerabilities are exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We highlight vulnerabilities ranked medium sever
2021-05-06
Published
Exploited in the wild