cbcvebase.
CVE-2021-40856
published 2021-12-13

CVE-2021-40856: Auerswald COMfortel 1400 IP and 2600 IP before 2.8G devices allow Authentication Bypass via the /about/../ substring.

PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
51.06%
98.8th percentile
Auerswald COMfortel 1400 IP and 2600 IP before 2.8G devices allow Authentication Bypass via the /about/../ substring.

Affected

3 ranges
VendorProductVersion rangeFixed in
auerswaldcomfortel_1400_ip_firmware<= 2.8f
auerswaldcomfortel_2600_ip_firmware<= 2.8f
auerswaldcomfortel_3600_ip_firmware<= 2.8f

Detection & IOCsextracted from sources · hover to see the quote

url/about/../tree?action=get
path/about/../
  • HTTP GET request to path matching /about/../<endpoint> (path traversal prefix) on Auerswald COMfortel devices indicates authentication bypass attempt.
  • Successful exploitation returns HTTP 200 with a JSON body containing the keys 'TYPE', 'ITEMS', and 'COUNT' and Content-Type: application/json header — without prior authentication.
  • Response Content-Type header of 'application/json' combined with HTTP 200 status on the bypass path confirms successful unauthenticated access.
  • Attackers can retrieve PBX login credentials and other sensitive configuration data via the bypassed endpoint.
  • ·Vulnerability affects Auerswald COMfortel 1400 IP and 2600 IP before firmware 2.8G; the Nuclei template also targets the 3600 IP model.
  • ·The bypass works against the web-based configuration management interface; no credentials are required by the attacker.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.