cbcvebase.
CVE-2021-45428
published 2022-01-03

CVE-2021-45428: TLR-2005KSH is affected by an incorrect access control vulnerability. THe PUT method is enabled so an attacker can upload arbitrary files including HTML and…

PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
56.93%
98.9th percentile
TLR-2005KSH is affected by an incorrect access control vulnerability. THe PUT method is enabled so an attacker can upload arbitrary files including HTML and CGI formats.

Detection & IOCsextracted from sources · hover to see the quote

ip223.62.114.233
port8081
commandPUT /l6f3jd6cbf.txt HTTP/1.1
otherhttp.html:"TLR-2005KSH"
  • Detect exploitation attempts by monitoring for HTTP PUT requests to the device, which should not normally accept PUT. A successful upload returns HTTP 201.
  • Confirm exploitation by checking that the uploaded file is subsequently retrievable via GET (HTTP 200), indicating successful arbitrary file write.
  • Use the Shodan dork to identify exposed TLR-2005KSH devices on the internet as potential targets.
  • No authentication is required to exploit this vulnerability; monitor for unauthenticated PUT requests to the device's web interface.
  • Alternate Shodan dork for identifying vulnerable devices: title:"Login to TLR-2021"
  • ·The vulnerability affects Telesquare TLR-2005KSH version 1.0.0 specifically; verify device firmware version before applying detections.
  • ·The exploit proof-of-concept uses a randomized filename (e.g. l6f3jd6cbf.txt); detection rules should not rely on a specific filename but rather on the HTTP PUT method being used against the device.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.