cbcvebase.
CVE-2021-46419
published 2022-04-07

CVE-2021-46419: An unauthorized file deletion vulnerability in Telesquare TLR-2855KS6 via DELETE method can allow deletion of system files and scripts.

PriorityP274critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EXPLOIT
EPSS
71.38%
99.3th percentile
An unauthorized file deletion vulnerability in Telesquare TLR-2855KS6 via DELETE method can allow deletion of system files and scripts.

Detection & IOCsextracted from sources · hover to see the quote

urlDELETE /cgi-bin/test.cgi HTTP/1.1
path/cgi-bin/test.cgi
path/cgi-bin/
commandDELETE /cgi-bin/<filename>.txt HTTP/1.1
  • Detect exploit attempts by monitoring for unauthenticated HTTP DELETE requests targeting the /cgi-bin/ path on Telesquare TLR-2855KS6 devices (lighttpd server).
  • Identify exposed TLR-2855KS6 devices via Shodan using the query: title:"Login to TLR-2855KS6" or http.title:"login to tlr-2855ks6".
  • Identify exposed TLR-2855KS6 devices via FOFA using: product=="TELESQUARE-TLR-2855KS6" or title="login to tlr-2855ks6".
  • Exploit sequence involves a two-step HTTP interaction: a PUT request to /cgi-bin/<filename>.txt returning HTTP 201, followed by a DELETE request to the same path returning HTTP 204. Alert on this pattern.
  • The exploit uses the DNT: 1 header in both PUT and DELETE requests; correlate this with DELETE/PUT methods to /cgi-bin/ as a detection signal.
  • ·The vulnerability requires no authentication (PR:N, UI:N per CVSS), meaning any unauthenticated HTTP DELETE request to /cgi-bin/ paths is sufficient to delete files — no session or credentials are needed.
  • ·The nonce cookie value in the PoC (nonce=16426923592222) is specific to the researcher's test session and is NOT required for exploitation — the vulnerability is unauthenticated.
  • ·The affected device runs lighttpd as its web server; server fingerprinting via the Server response header can confirm target identity before triggering alerts.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.