cbcvebase.
CVE-2021-31249
published 2021-06-04

CVE-2021-31249: A CRLF injection vulnerability was found on BF-430, BF-431, and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of validation on the…

PriorityP356medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EXPLOIT
EPSS
18.00%
96.8th percentile
A CRLF injection vulnerability was found on BF-430, BF-431, and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of validation on the parameter redirect= available on multiple CGI components.

Detection & IOCsextracted from sources · hover to see the quote

url/man.cgi?redirect=setting.htm%0d%0a%0d%0aalert(document.domain)&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=&TF_port=&B_mac_apply=APPLY
path/man.cgi
otherLocation: setting.htm\r\nalert(document.domain)
  • Detect CRLF injection exploitation attempts against CHIYU devices by looking for HTTP requests to CGI endpoints (e.g., man.cgi) containing URL-encoded CRLF sequences (%0d%0a) in the redirect= parameter.
  • A successful exploit triggers an HTTP 302 redirect response whose Location header contains injected content (e.g., 'Location: setting.htm' followed by injected lines). Alert on 302 responses from CGI endpoints where the Location header contains unexpected newline-separated content.
  • The redirect= parameter is the injection point across multiple CGI components on affected devices. Monitor HTTP requests where redirect= contains %0d%0a or %0a sequences.
  • ·The vulnerability affects multiple CGI components, not just man.cgi. Detection rules should be broadened to cover all CGI endpoints on CHIYU devices, not only the one used in the proof-of-concept template.
  • ·Affected device models are BF-430, BF-431, and BF-450M. Scope detection to traffic destined for these CHIYU TCP/IP Converter devices to reduce false positives.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.