CVE-2021-28150
published 2021-05-06CVE-2021-28150: Hongdian H8922 3.0.5 devices allow the unprivileged guest user to read cli.conf (with the administrator password and other sensitive data) via /backup2.cgi.
PriorityP277medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.58%
83.3th percentile
Hongdian H8922 3.0.5 devices allow the unprivileged guest user to read cli.conf (with the administrator password and other sensitive data) via /backup2.cgi.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hongdian | h8922_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →HTTP response Content-Type header 'application/octet-stream' on /backup2.cgi indicates successful config file download
- →Response body containing 'CLI configuration saved from vty' or 'service webadmin' confirms sensitive configuration disclosure via /backup2.cgi
- →Unauthenticated or guest-authenticated GET request to /backup2.cgi returning HTTP 200 with octet-stream body is the exploit pattern
- ·The Base64 credential 'Z3Vlc3Q6Z3Vlc3Q=' decodes to 'guest:guest' and 'YWRtaW46YWRtaW4=' decodes to 'admin:admin' — these are default credentials used in the exploit; real deployments may use different passwords, but the path /backup2.cgi remains the vulnerable endpoint regardless of credentials.
- ·Vulnerability is specific to Hongdian H8922 firmware version 3.0.5; other versions are not confirmed affected.
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v446-8p4r-76m4: Hongdian H8922 3
ghsa_unreviewed·2022-05-24
CVE-2021-28150 [MEDIUM] CWE-20 GHSA-v446-8p4r-76m4: Hongdian H8922 3
Hongdian H8922 3.0.5 devices allow the unprivileged guest user to read cli.conf (with the administrator password and other sensitive data) via /backup2.cgi.
VulnCheck
hongdian h8922 Direct Request ('Forced Browsing')
vulncheck·2021·CVSS 5.5
CVE-2021-28150 [MEDIUM] hongdian h8922 Direct Request ('Forced Browsing')
hongdian h8922 Direct Request ('Forced Browsing')
Hongdian H8922 3.0.5 devices allow the unprivileged guest user to read cli.conf (with the administrator password and other sensitive data) via /backup2.cgi.
Affected: hongdian h8922
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-08-23&host_type=src&vulnerability=cve-2021-28150; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-08-26&host_type=src&vulnerability=cve-2021-28150; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-08-27&host_type=src&vulnerability=
No detection rules found.
Nuclei
Hongdian H8922 3.0.5 - Information Disclosure
nuclei·CVSS 5.5
CVE-2021-28150 [MEDIUM] Hongdian H8922 3.0.5 - Information Disclosure
Hongdian H8922 3.0.5 - Information Disclosure
Hongdian H8922 3.0.5 is susceptible to information disclosure. An attacker can access cli.conf (with the administrator password and other sensitive data) via /backup2.cgi and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Template:
id: CVE-2021-28150
info:
name: Hongdian H8922 3.0.5 - Information Disclosure
author: gy741
severity: medium
description: Hongdian H8922 3.0.5 is susceptible to information disclosure. An attacker can access cli.conf (with the administrator password and other sensitive data) via /backup2.cgi and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
impact: |
Successful exploitation of this vulnerability can lead to t
Unit42
Network Security Trends: May-July 2021
blogs_unit42·2021-09-17
Network Security Trends: May-July 2021
## Executive Summary
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabilities in the real world. The following sections present our analysis of the most recently published vulnerabilities, including their severity and category distribution. Additionally, we provide insight into how the vulnerabilities are exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We highlight vulnerabilities ranked medium severity and above that were newly published from May-July 2021 in order to raise awareness of their active exploits in the wild. We then draw conclusions about the most commonly exploited vulnerabilities we observed attackers using, as well as the severity, category and
Unit42
Network Security Trends: May-July 2021
blogs_unit42·2021-09-17
Network Security Trends: May-July 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: May-July 2021
Yue Guan
Lei Xu
Published: September 17, 2021
Malware
Trend Reports
Vulnerabilities
Attack analysis
Exploit
Exploit in the wild
Network security trends
## Executive Summary
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabilities in the real world. The following sections present our analysis of the most recently published vulnerabilities, including their severity and category distribution. Additionally, we provide insight into how the vulnerabilities are exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We highlight vulnerabilities ranked medium sever
2021-05-06
Published
Exploited in the wild