cbcvebase.
CVE-2021-41293
published 2021-09-30

CVE-2021-41293: ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated…

PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.08%
97.1th percentile
ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information.

Detection & IOCsextracted from sources · hover to see the quote

url/viewlog.jsp
path../../../../../../../../etc/passwd
commandPOST /viewlog.jsp HTTP/1.1 yr=2021&mh=6&fname=../../../../../../../../etc/passwd
yara
rule CVE_2021_41293_ECOA_LFI { strings: $req = "fname=" $traversal = "../" condition: $req and $traversal }
  • Detect POST requests to /viewlog.jsp containing path traversal sequences (e.g., '../') in the 'fname' parameter — unauthenticated exploitation requires no prior session.
  • A successful exploit response will contain the string matching 'root:.*:0:0:' in the HTTP 200 response body, indicating /etc/passwd was retrieved.
  • No authentication is required; flag any unauthenticated POST to /viewlog.jsp with a 'fname' parameter value containing directory traversal sequences as high-severity.
  • ·The traversal depth shown in the PoC (8 levels: ../../../../../../../../) targets /etc/passwd but arbitrary files at any depth may be reachable; detection rules should match on any occurrence of '../' in the fname parameter, not just the specific depth.
  • ·The vulnerability is confirmed against ECOA ECS Router Controller-ECS firmware; the CPE cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:* should be used to scope asset identification.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.