CVE-2021-28151
published 2021-05-06CVE-2021-28151: Hongdian H8922 3.0.5 devices allow OS command injection via shell metacharacters into the ip-address (aka Destination) field to the tools.cgi ping command…
PriorityP184high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
27.91%
97.9th percentile
Hongdian H8922 3.0.5 devices allow OS command injection via shell metacharacters into the ip-address (aka Destination) field to the tools.cgi ping command, which is accessible with the username guest and password guest.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hongdian | h8922_firmware | — | — |
| hongdian | h8951-4g-esp | < 2310271149 | 2310271149 |
| hongdian | h8951-4g-esp_firmware | < 2310271149 | 2310271149 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex: uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)
- →Exploit targets POST requests to /tools.cgi with op_type=ping and shell metacharacters (e.g., %3B = ';') injected into the destination parameter. ↗
- →Successful command injection response contains a Unix uid/gid string matching the pattern uid=<N>(<name>) gid=<N>(<name>), indicating arbitrary OS command execution. ↗
- →Exploit is accessible using default credentials guest:guest (Base64: Z3Vlc3Q6Z3Vlc3Q=) or admin:admin (Base64: YWRtaW46YWRtaW4=) via HTTP Basic Authentication. ↗
- →Monitor HTTP responses from /tools.cgi for Content-Type: text/html or application/x-www-form-urlencoded combined with HTTP 200 status and uid/gid output in the body. ↗
- ·The vulnerability is specific to Hongdian H8922 firmware version 3.0.5; other firmware versions may not be affected. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9pqq-c77f-g45f: Authenticated user can execute arbitrary commands in the context of the root user by providing payload in the "destination" field of the network test
ghsa_unreviewed·2024-01-12·CVSS 8.8
CVE-2023-49254 [HIGH] CWE-78 GHSA-9pqq-c77f-g45f: Authenticated user can execute arbitrary commands in the context of the root user by providing payload in the "destination" field of the network test
Authenticated user can execute arbitrary commands in the context of the root user by providing payload in the "destination" field of the network test tools. This is similar to the vulnerability CVE-2021-28151 mitigated on the user interface level by blacklisting characters with JavaScript, however, it can still be exploited by sending POST requests directly.
GHSA
GHSA-qr4g-xxx6-244x: Hongdian H8922 3
ghsa_unreviewed·2022-05-24
CVE-2021-28151 [HIGH] CWE-78 GHSA-qr4g-xxx6-244x: Hongdian H8922 3
Hongdian H8922 3.0.5 devices allow OS command injection via shell metacharacters into the ip-address (aka Destination) field to the tools.cgi ping command, which is accessible with the username guest and password guest.
VulnCheck
hongdian h8922 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2021·CVSS 8.8
CVE-2021-28151 [HIGH] hongdian h8922 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
hongdian h8922 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Hongdian H8922 3.0.5 devices allow OS command injection via shell metacharacters into the ip-address (aka Destination) field to the tools.cgi ping command, which is accessible with the username guest and password guest.
Affected: hongdian h8922
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-24&host_type=src&vulnerability=cve-2021-28151; https://blog.xlab.qianxin.com/mirai-tbot-en/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01
No detection rules found.
Nuclei
Hongdian H8922 3.0.5 - Remote Command Injection
nuclei·CVSS 8.8
CVE-2021-28151 [HIGH] Hongdian H8922 3.0.5 - Remote Command Injection
Hongdian H8922 3.0.5 - Remote Command Injection
Hongdian H8922 3.0.5 devices are susceptible to remote command injection via shell metacharacters into the ip-address (a/k/a Destination) field to the tools.cgi ping command, which is accessible with the username guest and password guest. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system.
Template:
id: CVE-2021-28151
info:
name: Hongdian H8922 3.0.5 - Remote Command Injection
author: gy741
severity: high
description: |
Hongdian H8922 3.0.5 devices are susceptible to remote command injection via shell metacharacters into the ip-address (a/k/a Destination) field to the tools.cgi ping command, which is accessible with the username guest and password guest. An attack
Unit42
Network Security Trends: May-July 2021
blogs_unit42·2021-09-17
Network Security Trends: May-July 2021
## Executive Summary
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabilities in the real world. The following sections present our analysis of the most recently published vulnerabilities, including their severity and category distribution. Additionally, we provide insight into how the vulnerabilities are exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We highlight vulnerabilities ranked medium severity and above that were newly published from May-July 2021 in order to raise awareness of their active exploits in the wild. We then draw conclusions about the most commonly exploited vulnerabilities we observed attackers using, as well as the severity, category and
Unit42
Network Security Trends: May-July 2021
blogs_unit42·2021-09-17
Network Security Trends: May-July 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: May-July 2021
Yue Guan
Lei Xu
Published: September 17, 2021
Malware
Trend Reports
Vulnerabilities
Attack analysis
Exploit
Exploit in the wild
Network security trends
## Executive Summary
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabilities in the real world. The following sections present our analysis of the most recently published vulnerabilities, including their severity and category distribution. Additionally, we provide insight into how the vulnerabilities are exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We highlight vulnerabilities ranked medium sever
2021-05-06
Published
Exploited in the wild