Login Sign Up

CVE-2020-21937

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes a command injection vulnerability in the HNAP1/SetWLanApcliSettings endpoint of Motorola CX2 routers. Attackers can execute arbitrary system commands on affected devices, potentially taking full control. Users of Motorola CX2 routers with the vulnerable firmware are affected.

💻 Affected Systems

Products:
  • Motorola CX2 router
Versions: CX 1.0.2 Build 20190508 Rel.97360n
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the HNAP1 protocol implementation which is typically enabled by default on these routers.

📦 What is this software?

Cx2 Firmware by Motorola

View all CVEs affecting Cx2 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, and use the device for botnet activities.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential theft from network traffic, and use as a foothold for attacking other devices on the local network.

🟢

If Mitigated

Limited impact if the router is behind a firewall with restricted WAN access and proper network segmentation is in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The exploit requires network access to the router's web interface/HNAP endpoint. Public proof-of-concept code exists in GitHub repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No known vendor advisory

Restart Required: No

Instructions:

No official patch available. Check Motorola/Arris website for firmware updates. If available, download and install through router admin interface.

🔧 Temporary Workarounds

Disable HNAP1 protocol

all

Disable the HNAP1 protocol if not required for functionality

Restrict WAN access

all

Configure firewall to block external access to router admin interface (typically ports 80, 443, 8080)

🧯 If You Can't Patch

  • Replace affected routers with supported models
  • Isolate routers in separate VLAN with strict access controls

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version matches affected version, device is vulnerable.

Check Version:

Check router web interface at http://[router-ip]/ or use nmap to identify device model and firmware

Verify Fix Applied:

Verify firmware has been updated to a version newer than the affected build.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /HNAP1/SetWLanApcliSettings with shell metacharacters
  • Unexpected system command execution in router logs

Network Indicators:

  • Unusual outbound connections from router
  • DNS queries to suspicious domains from router

SIEM Query:

source="router_logs" AND uri="/HNAP1/SetWLanApcliSettings" AND (request CONTAINS "|" OR request CONTAINS ";" OR request CONTAINS "`" OR request CONTAINS "$")

📊 Metadata

CVE ID: CVE-2020-21937
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: July 21, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-21937, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)