CVE-2021-20090 – This CVE describes an unauthenticated path trav... (How to Fix)

Q: What is the severity of CVE-2021-20090?

CVE-2021-20090 has a CVSS score of 9.8 (CRITICAL). This CVE describes an unauthenticated path traversal vulnerability in Buffalo router web interfaces that allows attackers to bypass authentication mechanisms. It affects Buffalo WSR-2533DHPL2 and WSR-2533DHP3 routers with vulnerable firmware versions. Attackers can gain administrative access without credentials.

📋 TL;DR

This CVE describes an unauthenticated path traversal vulnerability in Buffalo router web interfaces that allows attackers to bypass authentication mechanisms. It affects Buffalo WSR-2533DHPL2 and WSR-2533DHP3 routers with vulnerable firmware versions. Attackers can gain administrative access without credentials.

💻 Affected Systems

Products:

Buffalo WSR-2533DHPL2
Buffalo WSR-2533DHP3

Versions: WSR-2533DHPL2 firmware <= 1.02, WSR-2533DHP3 firmware <= 1.24

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects web management interfaces. Arcadyan-based routers may share similar vulnerabilities.

📦 What is this software?

Wsr 2533dhp3 Bk Firmware by Buffalo

View all CVEs affecting Wsr 2533dhp3 Bk Firmware →

Wsr 2533dhpl2 Bk Firmware by Buffalo

View all CVEs affecting Wsr 2533dhpl2 Bk Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router with ability to modify configurations, intercept traffic, install malware, and pivot to internal networks.

🟠

Likely Case

Unauthorized administrative access to router settings, enabling network reconnaissance, DNS hijacking, and credential theft.

🟢

If Mitigated

Limited impact if routers are behind firewalls with restricted WAN access and strong network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices directly accessible from WAN interfaces.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if they gain network access, but external exposure is primary concern.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial with publicly available proof-of-concept code. Actively exploited in the wild according to security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: WSR-2533DHPL2 > 1.02, WSR-2533DHP3 > 1.24

Vendor Advisory: https://www.buffalo.jp/support/security/2021/2102.html

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to firmware update section. 3. Download latest firmware from Buffalo support site. 4. Upload and apply firmware update. 5. Reboot router after update completes.

🔧 Temporary Workarounds

Disable WAN Management Access

all

Prevent external access to router web interface by disabling remote administration.

Network Segmentation

all

Place routers in isolated network segments with strict firewall rules limiting access.

🧯 If You Can't Patch

Replace vulnerable routers with supported models from different vendors
Implement network-based intrusion prevention systems (IPS) with rules blocking exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is WSR-2533DHPL2 <= 1.02 or WSR-2533DHP3 <= 1.24, device is vulnerable.

Check Version:

Login to router web interface and check System Information or Firmware Version page.

Verify Fix Applied:

Confirm firmware version is updated to patched versions: WSR-2533DHPL2 > 1.02 or WSR-2533DHP3 > 1.24.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to admin pages
Multiple failed login attempts followed by successful access without credentials
Unusual configuration changes

Network Indicators:

HTTP requests with path traversal patterns to router management interface
Traffic from unexpected sources to router admin ports

SIEM Query:

source="router_logs" AND (uri="*..*" OR uri="*/../*") AND dest_port=80 OR dest_port=443

📊 Metadata

CVE ID: CVE-2021-20090

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: April 29, 2021

Last Updated: November 3, 2025

🔗 References

https://www.kb.cert.org/vuls/id/914124 Third Party Advisory,US Government Resource
https://www.secpod.com/blog/arcadyan-based-routers-and-modems-under-active-exploitation/ Exploit,Third Party Advisory
https://www.tenable.com/security/research/tra-2021-13 Exploit,Third Party Advisory
https://www.kb.cert.org/vuls/id/914124 Third Party Advisory,US Government Resource
https://www.secpod.com/blog/arcadyan-based-routers-and-modems-under-active-exploitation/ Exploit,Third Party Advisory
https://www.tenable.com/security/research/tra-2021-13 Exploit,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20090 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20090, you might also want to check these: