Login Sign Up

CVE-2021-21879

8.8 HIGH

📋 TL;DR

This vulnerability allows authenticated attackers to perform directory traversal attacks through the Web Manager File Upload functionality in Lantronix PremierWave 2050 devices. Attackers can overwrite arbitrary files on the system, potentially leading to complete system compromise. Only users running the affected firmware version are impacted.

💻 Affected Systems

Products:
  • Lantronix PremierWave 2050
Versions: 8.9.0.0R4
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to the Web Manager interface.

📦 What is this software?

Premierwave 2050 by Lantronix

View all CVEs affecting Premierwave 2050 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover through arbitrary file overwrite leading to remote code execution, device bricking, or persistent backdoor installation.

🟠

Likely Case

Unauthorized file modification leading to service disruption, configuration changes, or credential theft.

🟢

If Mitigated

Limited impact due to network segmentation, strong authentication controls, and file integrity monitoring.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires valid credentials but uses simple directory traversal techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.9.0.0R5 or later

Vendor Advisory: https://www.lantronix.com/support/software-updates/

Restart Required: Yes

Instructions:

1. Download latest firmware from Lantronix support portal. 2. Backup current configuration. 3. Upload firmware via Web Manager. 4. Apply update and restart device.

🔧 Temporary Workarounds

Disable Web Manager Access

linux

Temporarily disable Web Manager interface to prevent exploitation

# Disable web service via CLI
systemctl stop lantronix-webmanager
# Or block port via firewall
iptables -A INPUT -p tcp --dport 80 -j DROP

Restrict Network Access

linux

Limit Web Manager access to trusted IP addresses only

# Allow only specific IPs to access Web Manager
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate PremierWave devices
  • Enforce strong authentication policies and monitor for suspicious login attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via Web Manager dashboard or CLI command: cat /etc/version

Check Version:

cat /etc/version

Verify Fix Applied:

Verify firmware version is 8.9.0.0R5 or later and test file upload functionality with traversal attempts

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing '../' sequences in file upload parameters
  • Multiple failed authentication attempts followed by successful login and file upload

Network Indicators:

  • HTTP POST requests to upload endpoints with path traversal payloads
  • Unusual file modification timestamps

SIEM Query:

source="web_logs" AND (uri="*upload*" AND (payload="*../*" OR payload="*..\\*"))

📊 Metadata

CVE ID: CVE-2021-21879
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: December 22, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21879, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)