cbcvebase.
CVE-2021-40859
published 2021-12-07

CVE-2021-40859: Backdoors were discovered in Auerswald COMpact 5500R 7.8A and 8.0B devices, that allow attackers with access to the web based management application full…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOIT
Exploited in the wild
EPSS
71.98%
99.4th percentile
Backdoors were discovered in Auerswald COMpact 5500R 7.8A and 8.0B devices, that allow attackers with access to the web based management application full administrative access to the device.

Affected

2 ranges
VendorProductVersion rangeFixed in
auerswaldcompact_5500r_firmware
auerswaldcompact_5500r_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/about_state
path/logstatus_state
path/statics/html/page_servicetools.html
path/tree
cookieAUERSessionID<serial>=<value>; HttpOnly; Path=/
otherusername: Schandelah
commandecho -n <serial>r2d2<date> | md5sum | egrep -o '^.{7}'
commandecho -n <serial>r2d2<date><language> | md5sum | egrep -o '^.{7}'
filename7_8A_002_COMpact5500.rom
  • Detect unauthenticated GET requests to /about_state on Auerswald devices; a JSON response containing 'pbx', 'dongleStatus':0, and 'macaddr' fields indicates a vulnerable device exposing serial number and date needed for backdoor password derivation.
  • Monitor for HTTP Basic Auth attempts using the username 'Schandelah' against Auerswald device management interfaces; this is a hardcoded backdoor account granting 'Haendler' (reseller) level access.
  • Monitor for HTTP 302 redirects to /statics/html/page_servicetools.html following authentication to Auerswald devices, which indicates successful backdoor login and access to the privileged service page.
  • Detect session cookies matching the pattern 'AUERSessionID<serial>=' in HTTP traffic to/from Auerswald PBX management interfaces as an indicator of active authenticated sessions (potentially via backdoor).
  • The backdoor password for both 'Schandelah' and 'Admin' users is derived by MD5-hashing the concatenation of the device serial number, the literal string 'r2d2', the current date, and (for Admin) the configured language, then taking the first 7 lowercase hex characters.
  • ·The backdoor password is time-dependent (changes daily based on current date) and device-dependent (uses serial number), so static password IOCs are not useful; detection must focus on the derivation pattern or the unauthenticated /about_state endpoint exposure.
  • ·No way was discovered to disable these backdoors on affected firmware versions; the only remediation is upgrading to fixed firmware versions 8.2B (for COMpact 4000/5000(R)/5200(R)/5500R/COMmander 6000(R)(RX)) or 4.0T (for COMpact 3000 series).
  • ·All information needed to derive the backdoor passwords (serial number, date, language) is accessible without authentication via the /about_state endpoint, meaning network access alone is sufficient for exploitation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.