cbcvebase.
CVE-2021-45420
published 2022-02-14

CVE-2021-45420: Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerability in /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
25.96%
97.7th percentile
Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerability in /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and /cgi-bin/lo_utils.cgi. An attacker will be able to write any file on the target system without any kind of authentication mechanism, and this can lead to denial of service and potentially remote code execution. Note: the product has not been supported since 2018 and should be removed or replaced

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/logo_extra_upload.cgi
path/cgi-bin/cal_save.cgi
path/cgi-bin/lo_utils.cgi
commandPOST /cgi-bin/logo_extra_upload.cgi HTTP/1.1 Content-Type: application/octet-stream
otherdixell-xweb500-filewrite
otherinurl:"xweb500.cgi"
  • Detect unauthenticated POST requests to /cgi-bin/logo_extra_upload.cgi with Content-Type: application/octet-stream — the primary exploitation endpoint for arbitrary file write.
  • Verify exploitation by checking if the uploaded file is accessible under /logo/<filename>.txt and contains the attacker-controlled payload string.
  • Monitor for any unauthenticated POST/GET activity to /cgi-bin/cal_save.cgi and /cgi-bin/lo_utils.cgi as additional arbitrary file write vectors.
  • Use the Google dork inurl:"xweb500.cgi" to identify internet-exposed Emerson Dixell XWEB-500 devices.
  • No authentication headers or tokens are required for exploitation; any unauthenticated request to the vulnerable CGI endpoints should be treated as suspicious.
  • ·The product has been end-of-life since 2018 and no firmware patches are expected; detection/blocking at the network perimeter is the primary mitigation.
  • ·The Nuclei template uses a randomised filename ({{randstr}}.txt) for the probe, so static file-name signatures will not reliably detect all exploitation attempts; focus on the CGI endpoint and Content-Type instead.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.