cbcvebase.
CVE-2021-3297
published 2021-01-26

CVE-2021-3297: On Zyxel NBG2105 V1.00(AAGU.2)C0 devices, setting the login cookie to 1 provides administrator access.

PriorityP179high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.51%
97.2th percentile
On Zyxel NBG2105 V1.00(AAGU.2)C0 devices, setting the login cookie to 1 provides administrator access.

Affected

1 ranges
VendorProductVersion rangeFixed in
zyxelnbg2105_firmware

Detection & IOCsextracted from sources · hover to see the quote

cookielogin=1
path/status.htm
path/login_ok.htm
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Zyxel Authentication Bypass Inbound (CVE-2021-3297)"; http.method; content:"GET"; http.uri; content:"/login_ok.htm"; fast_pattern; http.cookie; content:"login=1"; reference:url,github.com/Sec504/Zyxel-NBG2105-CVE-2021-3297; reference:cve,2021-3297; classtype:attempted-user; sid:2032523; rev:2; metadata:created_at 2021_04_06, cve CVE_2021_3297, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_04_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Authentication bypass is confirmed by an HTTP 200 response to GET /status.htm with Cookie: login=1, and the response body containing all three strings: 'Running Time', 'Firmware Version', and 'Firmware Build Time'.
  • The Emerging Threats Snort rule (SID 2032523) triggers on inbound HTTP GET requests to /login_ok.htm with the cookie value 'login=1', targeting $HOME_NET. Deploy at both Perimeter and Internal chokepoints.
  • ·The vulnerability is specific to Zyxel NBG2105 firmware version V1.00(AAGU.2)C0 only. Verify the exact firmware version before applying detection rules to avoid false positives on other Zyxel devices.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.