Login Sign Up

CVE-2021-20990

7.5 HIGH
Authentication Bypass Denial of Service

📋 TL;DR

Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older expose an internal management service on port 8000 without authentication. Attackers can access API endpoints to trigger device shutdown, reboot, or reboot into recovery mode, causing denial of service. This affects all users of these devices with vulnerable firmware.

💻 Affected Systems

Products:
  • Fibaro Home Center 2
  • Fibaro Home Center Lite
Versions: Firmware version 4.600 and older
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerable service runs on port 8000 by default in affected firmware versions.

📦 What is this software?

Home Center 2 Firmware by Fibaro

View all CVEs affecting Home Center 2 Firmware →

Home Center Lite Firmware by Fibaro

View all CVEs affecting Home Center Lite Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can remotely reboot devices into recovery mode, potentially enabling further exploitation or causing permanent service disruption requiring physical intervention.

🟠

Likely Case

Remote attackers cause denial of service by triggering device reboots or shutdowns, disrupting home automation functionality.

🟢

If Mitigated

With proper network segmentation and firewall rules, impact is limited to internal network attacks only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only network access to port 8000 and knowledge of API endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version newer than 4.600

Vendor Advisory: https://www.fibaro.com/en/support/

Restart Required: Yes

Instructions:

1. Log into Fibaro Home Center web interface
2. Navigate to Settings > System > Updates
3. Check for and install firmware updates
4. Reboot device after update completes

🔧 Temporary Workarounds

Block Port 8000

linux

Use firewall rules to block external access to port 8000 on affected devices

iptables -A INPUT -p tcp --dport 8000 -j DROP

Network Segmentation

all

Place Home Center devices on isolated VLAN without internet access

🧯 If You Can't Patch

  • Implement strict firewall rules blocking all external access to port 8000
  • Monitor network traffic for unauthorized access attempts to port 8000

🔍 How to Verify

Check if Vulnerable:

Check if port 8000 is open and accessible: nmap -p 8000 <device_ip>

Check Version:

Check web interface at http://<device_ip>/api/settings/system or via SSH: cat /etc/version

Verify Fix Applied:

Verify firmware version is newer than 4.600 and port 8000 is not externally accessible

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to port 8000
  • Unexpected device reboots or shutdowns

Network Indicators:

  • External connections to port 8000
  • HTTP requests to /api/shutdown, /api/reboot, or /api/recovery endpoints

SIEM Query:

source_port=8000 OR (http_uri CONTAINS "/api/shutdown" OR http_uri CONTAINS "/api/reboot" OR http_uri CONTAINS "/api/recovery")

📊 Metadata

CVE ID: CVE-2021-20990
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-306
Published: April 19, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20990, you might also want to check these:

CVE-2025-32433 10.0

This CVE describes a critical vulnerability in Erlang/OTP's SSH server that allows unauthenticated r...

Same vulnerability type (CWE-306)
CVE-2026-23693 10.0

The ElementsKit Lite WordPress plugin versions before 3.7.9 expose an unauthenticated REST endpoint ...

Same vulnerability type (CWE-306)
CVE-2025-58083 10.0

The General Industrial Controls Lynx+ Gateway has a critical authentication bypass vulnerability in ...

Same vulnerability type (CWE-306)