← back
CVE-2021-20090

CVE-2021-20090

CVSS 9.8 CRITICALEPSS 100.0%● KEVCWE-22
In short

An unauthenticated attacker can bypass login protections on Buffalo routers by manipulating file paths in requests, gaining unauthorized access to the device's web interface without needing valid credentials.

Technical detail

A path traversal vulnerability (CWE-22) in Buffalo WSR-2533DHPL2 (≤1.02) and WSR-2533DHP3 (≤1.24) web interfaces permits unauthenticated remote attackers to bypass authentication mechanisms by crafting malicious path sequences, enabling unauthorized access to administrative functions.

Summary generated and translated by AI from the official description.
A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · Buffalo WSR-2533DHPL2, Buffalo WSR-2533DHP3

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20090https://www.kb.cert.org/vuls/id/914124https://www.secpod.com/blog/arcadyan-based-routers-and-modems-under-active-exploitation/https://www.tenable.com/security/research/tra-2021-13