CVE-2021-41291
published 2021-09-30CVE-2021-41291: ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Using the GET parameter in File Manager, unauthenticated attackers can…
PriorityP275high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
79.44%
99.6th percentile
ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Using the GET parameter in File Manager, unauthenticated attackers can remotely disclose directory content on the affected device.
Detection & IOCsextracted from sources · hover to see the quote
path/fmangersub
- →Look for GET requests to /fmangersub with a 'cpath' parameter containing directory traversal sequences (e.g., '../') — no authentication is required to exploit this endpoint. ↗
- →Successful exploitation returns /etc/passwd content; detect by matching the regex pattern 'root:.*:0:0:' in HTTP responses from the ECOA BAS controller.
- ·The vulnerability is unauthenticated (PR:N), meaning no credentials or session tokens are needed — any network-accessible ECOA BAS controller is at risk. ↗
- ·The traversal depth used in the PoC is 7 levels (../../../../../../..), but other depths may also succeed depending on the deployment path of the application.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
ECOA Building Automation System - Directory Traversal Content Disclosure
nuclei·CVSS 7.5
CVE-2021-41291 [HIGH] ECOA Building Automation System - Directory Traversal Content Disclosure
ECOA Building Automation System - Directory Traversal Content Disclosure
The ECOA BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager (fmangersub), attackers can disclose directory content on the affected device
Template:
id: CVE-2021-41291
info:
name: ECOA Building Automation System - Directory Traversal Content Disclosure
author: gy741
severity: high
description: The ECOA BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager (fmangersub), attackers can disclose directory content on the affected device
impact: |
An attacker can exploit this vulnerability to access sensitive files and directories, potentially exposing sensitive inform
2021-09-30
Published