CVE-2021-40859
published 2021-12-07CVE-2021-40859: Backdoors were discovered in Auerswald COMpact 5500R 7.8A and 8.0B devices, that allow attackers with access to the web based management application full…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOIT
Exploited in the wild
EPSS
71.98%
99.4th percentile
Backdoors were discovered in Auerswald COMpact 5500R 7.8A and 8.0B devices, that allow attackers with access to the web based management application full administrative access to the device.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| auerswald | compact_5500r_firmware | — | — |
| auerswald | compact_5500r_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to /about_state on Auerswald devices; a JSON response containing 'pbx', 'dongleStatus':0, and 'macaddr' fields indicates a vulnerable device exposing serial number and date needed for backdoor password derivation. ↗
- →Monitor for HTTP Basic Auth attempts using the username 'Schandelah' against Auerswald device management interfaces; this is a hardcoded backdoor account granting 'Haendler' (reseller) level access. ↗
- →Monitor for HTTP 302 redirects to /statics/html/page_servicetools.html following authentication to Auerswald devices, which indicates successful backdoor login and access to the privileged service page. ↗
- →Detect session cookies matching the pattern 'AUERSessionID<serial>=' in HTTP traffic to/from Auerswald PBX management interfaces as an indicator of active authenticated sessions (potentially via backdoor). ↗
- →The backdoor password for both 'Schandelah' and 'Admin' users is derived by MD5-hashing the concatenation of the device serial number, the literal string 'r2d2', the current date, and (for Admin) the configured language, then taking the first 7 lowercase hex characters. ↗
- ·The backdoor password is time-dependent (changes daily based on current date) and device-dependent (uses serial number), so static password IOCs are not useful; detection must focus on the derivation pattern or the unauthenticated /about_state endpoint exposure. ↗
- ·No way was discovered to disable these backdoors on affected firmware versions; the only remediation is upgrading to fixed firmware versions 8.2B (for COMpact 4000/5000(R)/5200(R)/5500R/COMmander 6000(R)(RX)) or 4.0T (for COMpact 3000 series). ↗
- ·All information needed to derive the backdoor passwords (serial number, date, language) is accessible without authentication via the /about_state endpoint, meaning network access alone is sufficient for exploitation. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Auerswald COMpact 8.0B - Multiple Backdoors
exploitdb·2021-12-06·CVSS 9.8
CVE-2021-40859 [CRITICAL] Auerswald COMpact 8.0B - Multiple Backdoors
Auerswald COMpact 8.0B - Multiple Backdoors
---
# Exploit Title: Auerswald COMpact 8.0B - Multiple Backdoors
# Date: 06/12/2021
# Exploit Author: RedTeam Pentesting GmbH
Advisory: Auerswald COMpact Multiple Backdoors
RedTeam Pentesting discovered several backdoors in the firmware for the
Auerswald COMpact 5500R PBX. These backdoors allow attackers who are
able to access the web-based management application full administrative
access to the device.
Details
Product: COMpact 3000 ISDN, COMpact 3000 analog, COMpact 3000 VoIP, COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX), COMpact 5010 VoIP, COMpact 5020 VoIP, COMmander Business(19"), COMmander Basic.2(19")
Affected Versions: <= 8.0B (COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, C
Nuclei
Auerswald COMpact 5500R 7.8A and 8.0B Devices Backdoor
nuclei·CVSS 9.8
CVE-2021-40859 [CRITICAL] Auerswald COMpact 5500R 7.8A and 8.0B Devices Backdoor
Auerswald COMpact 5500R 7.8A and 8.0B Devices Backdoor
Auerswald COMpact 5500R 7.8A and 8.0B devices contain an unauthenticated endpoint ("https://192.168.1[.]2/about_state"), enabling the bad actor to gain backdoor access to a web interface that allows for resetting the administrator password.
Template:
id: CVE-2021-40859
info:
name: Auerswald COMpact 5500R 7.8A and 8.0B Devices Backdoor
author: pussycat0x
severity: critical
description: Auerswald COMpact 5500R 7.8A and 8.0B devices contain an unauthenticated endpoint ("https://192.168.1[.]2/about_state"), enabling the bad actor to gain backdoor access to a web interface that allows for resetting the administrator password.
impact: |
Unauthenticated attackers can gain unauthorized access to affected devices.
remediation: |
Apply the l
No writeups or analysis indexed.
https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyseshttps://www.redteam-pentesting.de/en/advisories/rt-sa-2021-007/-auerswald-compact-multiple-backdoorshttps://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyseshttps://www.redteam-pentesting.de/en/advisories/rt-sa-2021-007/-auerswald-compact-multiple-backdoors
2021-12-07
Published
Exploited in the wild