CVE-2021-45420
published 2022-02-14CVE-2021-45420: Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerability in /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
25.96%
97.7th percentile
Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerability in /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and /cgi-bin/lo_utils.cgi. An attacker will be able to write any file on the target system without any kind of authentication mechanism, and this can lead to denial of service and potentially remote code execution. Note: the product has not been supported since 2018 and should be removed or replaced
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /cgi-bin/logo_extra_upload.cgi HTTP/1.1
Content-Type: application/octet-stream
otherdixell-xweb500-filewrite
otherinurl:"xweb500.cgi"
- →Detect unauthenticated POST requests to /cgi-bin/logo_extra_upload.cgi with Content-Type: application/octet-stream — the primary exploitation endpoint for arbitrary file write.
- →Verify exploitation by checking if the uploaded file is accessible under /logo/<filename>.txt and contains the attacker-controlled payload string.
- →Monitor for any unauthenticated POST/GET activity to /cgi-bin/cal_save.cgi and /cgi-bin/lo_utils.cgi as additional arbitrary file write vectors.
- →Use the Google dork inurl:"xweb500.cgi" to identify internet-exposed Emerson Dixell XWEB-500 devices.
- →No authentication headers or tokens are required for exploitation; any unauthenticated request to the vulnerable CGI endpoints should be treated as suspicious.
- ·The product has been end-of-life since 2018 and no firmware patches are expected; detection/blocking at the network perimeter is the primary mitigation. ↗
- ·The Nuclei template uses a randomised filename ({{randstr}}.txt) for the probe, so static file-name signatures will not reliably detect all exploitation attempts; focus on the CGI endpoint and Content-Type instead.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mvgm-c55v-5wjw: ** UNSUPPORTED WHEN ASSIGNED ** Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerability in /cgi-bin/logo_extra_upload
ghsa_unreviewed·2022-02-15
CVE-2021-45420 [CRITICAL] CWE-200 GHSA-mvgm-c55v-5wjw: ** UNSUPPORTED WHEN ASSIGNED ** Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerability in /cgi-bin/logo_extra_upload
** UNSUPPORTED WHEN ASSIGNED ** Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerability in /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and /cgi-bin/lo_utils.cgi. An attacker will be able to write any file on the target system without any kind of authentication mechanism, and this can lead to denial of service and potentially remote code execution. Note: the product has not been supported since 2018 and should be removed or replaced.
VulnCheck
emerson dixell_xweb-500_firmware Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2021·CVSS 9.8
CVE-2021-45420 [CRITICAL] emerson dixell_xweb-500_firmware Exposure of Sensitive Information to an Unauthorized Actor
emerson dixell_xweb-500_firmware Exposure of Sensitive Information to an Unauthorized Actor
Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerability in /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and /cgi-bin/lo_utils.cgi. An attacker will be able to write any file on the target system without any kind of authentication mechanism, and this can lead to denial of service and potentially remote code execution. Note: the product has not been supported since 2018 and should be removed or replaced
Affected: emerson dixell_xweb-500_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/st
No detection rules found.
Nuclei
Emerson Dixell XWEB-500 - Arbitrary File Write
nuclei·CVSS 9.8
CVE-2021-45420 [CRITICAL] Emerson Dixell XWEB-500 - Arbitrary File Write
Emerson Dixell XWEB-500 - Arbitrary File Write
Emerson Dixell XWEB-500 contains an arbitrary file write caused by unauthenticated access to /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and /cgi-bin/lo_utils.cgi, letting attackers write any file on the system, exploit requires no authentication.
Template:
id: CVE-2021-45420
info:
name: Emerson Dixell XWEB-500 - Arbitrary File Write
author: hackerarpan
severity: critical
description: |
Emerson Dixell XWEB-500 contains an arbitrary file write caused by unauthenticated access to /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and /cgi-bin/lo_utils.cgi, letting attackers write any file on the system, exploit requires no authentication.
impact: |
Unauthenticated attackers can write arbitrary files to any location on the Dixe
No writeups or analysis indexed.
2022-02-14
Published
Exploited in the wild