cbcvebase.
CVE-2021-41291
published 2021-09-30

CVE-2021-41291: ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Using the GET parameter in File Manager, unauthenticated attackers can…

PriorityP275high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
79.44%
99.6th percentile
ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Using the GET parameter in File Manager, unauthenticated attackers can remotely disclose directory content on the affected device.

Detection & IOCsextracted from sources · hover to see the quote

url/fmangersub?cpath=../../../../../../../etc/passwd
path/fmangersub
  • Look for GET requests to /fmangersub with a 'cpath' parameter containing directory traversal sequences (e.g., '../') — no authentication is required to exploit this endpoint.
  • Successful exploitation returns /etc/passwd content; detect by matching the regex pattern 'root:.*:0:0:' in HTTP responses from the ECOA BAS controller.
  • ·The vulnerability is unauthenticated (PR:N), meaning no credentials or session tokens are needed — any network-accessible ECOA BAS controller is at risk.
  • ·The traversal depth used in the PoC is 7 levels (../../../../../../..), but other depths may also succeed depending on the deployment path of the application.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.