cbcvebase.
CVE-2021-28151
published 2021-05-06

CVE-2021-28151: Hongdian H8922 3.0.5 devices allow OS command injection via shell metacharacters into the ip-address (aka Destination) field to the tools.cgi ping command…

PriorityP184high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
27.91%
97.9th percentile
Hongdian H8922 3.0.5 devices allow OS command injection via shell metacharacters into the ip-address (aka Destination) field to the tools.cgi ping command, which is accessible with the username guest and password guest.

Affected

3 ranges
VendorProductVersion rangeFixed in
hongdianh8922_firmware
hongdianh8951-4g-esp< 23102711492310271149
hongdianh8951-4g-esp_firmware< 23102711492310271149

Detection & IOCsextracted from sources · hover to see the quote

path/tools.cgi
commandop_type=ping&destination=%3Bid
yara
regex: uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)
  • Exploit targets POST requests to /tools.cgi with op_type=ping and shell metacharacters (e.g., %3B = ';') injected into the destination parameter.
  • Successful command injection response contains a Unix uid/gid string matching the pattern uid=<N>(<name>) gid=<N>(<name>), indicating arbitrary OS command execution.
  • Exploit is accessible using default credentials guest:guest (Base64: Z3Vlc3Q6Z3Vlc3Q=) or admin:admin (Base64: YWRtaW46YWRtaW4=) via HTTP Basic Authentication.
  • Monitor HTTP responses from /tools.cgi for Content-Type: text/html or application/x-www-form-urlencoded combined with HTTP 200 status and uid/gid output in the body.
  • ·The vulnerability is specific to Hongdian H8922 firmware version 3.0.5; other firmware versions may not be affected.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.