cbcvebase.
CVE-2021-38759
published 2021-12-07

CVE-2021-38759: Raspberry Pi OS through 5.10 has the raspberry default password for the pi account. If not changed, attackers can gain administrator privileges.

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
15.67%
96.4th percentile
Raspberry Pi OS through 5.10 has the raspberry default password for the pi account. If not changed, attackers can gain administrator privileges.

Affected

1 ranges
VendorProductVersion rangeFixed in
raspberrypiraspberry_pi_os_lite<= 5.10

Detection & IOCsextracted from sources · hover to see the quote

otherpi:raspberry
  • Detect SSH login attempts using the default username 'pi' and password 'raspberry' against any host, indicative of CVE-2021-38759 exploitation.
  • Monitor for successful SSH authentication as user 'pi' followed immediately by execution of the 'id' command, which is the post-exploitation step in the published PoC.
  • Alert on SSH connections using the Paramiko Python library (identifiable via its SSH client banner/user-agent string) authenticating as 'pi', as the PoC exploit is implemented in Python using Paramiko.
  • ·The default credentials are only exploitable if the 'pi' account password has not been changed from the default 'raspberry'; systems where the password has been updated are not vulnerable.
  • ·The exploit requires SSH to be enabled and reachable on the target Raspberry Pi device; SSH is not enabled by default on all Raspberry Pi OS versions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.