CVE-2021-3297
published 2021-01-26CVE-2021-3297: On Zyxel NBG2105 V1.00(AAGU.2)C0 devices, setting the login cookie to 1 provides administrator access.
PriorityP179high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.51%
97.2th percentile
On Zyxel NBG2105 V1.00(AAGU.2)C0 devices, setting the login cookie to 1 provides administrator access.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zyxel | nbg2105_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Zyxel Authentication Bypass Inbound (CVE-2021-3297)"; http.method; content:"GET"; http.uri; content:"/login_ok.htm"; fast_pattern; http.cookie; content:"login=1"; reference:url,github.com/Sec504/Zyxel-NBG2105-CVE-2021-3297; reference:cve,2021-3297; classtype:attempted-user; sid:2032523; rev:2; metadata:created_at 2021_04_06, cve CVE_2021_3297, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_04_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Authentication bypass is confirmed by an HTTP 200 response to GET /status.htm with Cookie: login=1, and the response body containing all three strings: 'Running Time', 'Firmware Version', and 'Firmware Build Time'.
- →The Emerging Threats Snort rule (SID 2032523) triggers on inbound HTTP GET requests to /login_ok.htm with the cookie value 'login=1', targeting $HOME_NET. Deploy at both Perimeter and Internal chokepoints.
- ·The vulnerability is specific to Zyxel NBG2105 firmware version V1.00(AAGU.2)C0 only. Verify the exact firmware version before applying detection rules to avoid false positives on other Zyxel devices. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vqr2-c24p-rh7p: On Zyxel NBG2105 V1
ghsa_unreviewed·2022-05-24
CVE-2021-3297 [HIGH] CWE-287 GHSA-vqr2-c24p-rh7p: On Zyxel NBG2105 V1
On Zyxel NBG2105 V1.00(AAGU.2)C0 devices, setting the login cookie to 1 provides administrator access.
VulnCheck
Zyxel nbg2105_firmware Improper Authentication
vulncheck·2021·CVSS 7.8
CVE-2021-3297 [HIGH] Zyxel nbg2105_firmware Improper Authentication
Zyxel nbg2105_firmware Improper Authentication
On Zyxel NBG2105 V1.00(AAGU.2)C0 devices, setting the login cookie to 1 provides administrator access.
Affected: Zyxel nbg2105_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-08-19&host_type=src&vulnerability=cve-2021-3297; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-08-23&host_type=src&vulnerability=cve-2021-3297; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-08-26&host_type=src&vulnerability=cve-2021-3297; https://dashboard.shadowserver.org/s
Suricata
ET EXPLOIT Possible Zyxel Authentication Bypass Inbound (CVE-2021-3297)
suricata·2021-04-06·CVSS 7.8
CVE-2021-3297 [HIGH] ET EXPLOIT Possible Zyxel Authentication Bypass Inbound (CVE-2021-3297)
ET EXPLOIT Possible Zyxel Authentication Bypass Inbound (CVE-2021-3297)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Zyxel Authentication Bypass Inbound (CVE-2021-3297)"; http.method; content:"GET"; http.uri; content:"/login_ok.htm"; fast_pattern; http.cookie; content:"login=1"; reference:url,github.com/Sec504/Zyxel-NBG2105-CVE-2021-3297; reference:cve,2021-3297; classtype:attempted-user; sid:2032523; rev:2; metadata:created_at 2021_04_06, cve CVE_2021_3297, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_04_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
Nuclei
Zyxel NBG2105 V1.00(AAGU.2)C0 - Authentication Bypass
nuclei·CVSS 7.8
CVE-2021-3297 [HIGH] Zyxel NBG2105 V1.00(AAGU.2)C0 - Authentication Bypass
Zyxel NBG2105 V1.00(AAGU.2)C0 - Authentication Bypass
Zyxel NBG2105 V1.00(AAGU.2)C0 devices are susceptible to authentication bypass vulnerabilities because setting the login cookie to 1 provides administrator access.
Template:
id: CVE-2021-3297
info:
name: Zyxel NBG2105 V1.00(AAGU.2)C0 - Authentication Bypass
author: gy741
severity: high
description: Zyxel NBG2105 V1.00(AAGU.2)C0 devices are susceptible to authentication bypass vulnerabilities because setting the login cookie to 1 provides administrator access.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, unauthorized configuration changes, and potential compromise of the affected device.
remediation: |
Apply the latest firmware update provided by Zyxel to fix the au
No writeups or analysis indexed.
https://codeberg.org/nieldk/vulnerabilities/src/branch/main/zyxel%20nbg2105/Admin%20bypasshttps://github.com/nieldk/vulnerabilities/blob/main/zyxel%20nbg2105/Admin%20bypasshttps://www.zyxel.com/support/SupportLandingSR.shtml?c=gb&l=en&kbid=M-01490&md=NBG2105https://www.zyxel.com/us/en/support/security_advisories.shtmlhttps://github.com/nieldk/vulnerabilities/blob/main/zyxel%20nbg2105/Admin%20bypasshttps://www.zyxel.com/support/SupportLandingSR.shtml?c=gb&l=en&kbid=M-01490&md=NBG2105https://www.zyxel.com/us/en/support/security_advisories.shtml
2021-01-26
Published
Exploited in the wild