Login Sign Up

CVE-2021-20711

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary operating system commands on affected Aterm WG2600HS routers. Attackers can potentially take full control of the device without authentication. All users running firmware version 1.5.1 or earlier are affected.

💻 Affected Systems

Products:
  • Aterm WG2600HS
Versions: Firmware version 1.5.1 and earlier
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Aterm Wg2600hs Firmware by Nec

View all CVEs affecting Aterm Wg2600hs Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept all network traffic, install persistent backdoors, pivot to internal networks, and use the device for botnet activities.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential theft from network traffic, and use as a foothold for attacking other devices on the network.

🟢

If Mitigated

Limited impact if device is behind strict firewall rules and not internet-facing, though internal attackers could still exploit.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability allows OS command injection via unspecified vectors, suggesting relatively straightforward exploitation once details are known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version newer than 1.5.1

Vendor Advisory: https://jpn.nec.com/security-info/secinfo/nv21-010.html

Restart Required: Yes

Instructions:

1. Download latest firmware from NEC official site. 2. Log into router admin interface. 3. Navigate to firmware update section. 4. Upload and apply new firmware. 5. Router will automatically restart.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate router from critical internal networks and restrict access

Access Control

all

Implement strict firewall rules to limit who can access router management interface

🧯 If You Can't Patch

  • Replace the router with a different model that receives security updates
  • Deploy the router in a DMZ with no access to internal networks

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System Information or similar section

Check Version:

Login to router web interface and navigate to System Status or Firmware Information page

Verify Fix Applied:

Verify firmware version is newer than 1.5.1 after update

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in system logs
  • Multiple failed login attempts followed by successful access
  • Unexpected firmware or configuration changes

Network Indicators:

  • Unusual outbound connections from router
  • DNS queries to suspicious domains
  • Unexpected port scans originating from router

SIEM Query:

source="router_logs" AND (command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*")

📊 Metadata

CVE ID: CVE-2021-20711
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: April 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20711, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)