Login Sign Up

CVE-2021-26747

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on Netis WF2780 and WF2411 routers by injecting shell metacharacters into the ping command. Attackers can gain full control of affected devices without authentication. Organizations using these specific Netis router models are at risk.

💻 Affected Systems

Products:
  • Netis WF2780
  • Netis WF2411
Versions: WF2780 2.3.40404, WF2411 1.1.29629
Operating Systems: Embedded Linux firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects specific firmware versions; other Netis models may have similar vulnerabilities.

📦 What is this software?

Wf2411 Firmware by Netis Systems

View all CVEs affecting Wf2411 Firmware →

Wf2780 Firmware by Netis Systems

View all CVEs affecting Wf2780 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router leading to network interception, credential theft, lateral movement to internal systems, and persistent backdoor installation.

🟠

Likely Case

Router takeover enabling traffic monitoring, DNS hijacking, and use as attack platform against internal network.

🟢

If Mitigated

Limited impact if routers are isolated in separate VLANs with strict network segmentation and monitoring.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices directly accessible from WAN interfaces.
🏢 Internal Only: MEDIUM - Internal routers could be exploited if attacker gains internal network access first.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept code available on GitHub; exploitation requires network access to router management interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://www.netis-systems.com.tw/

Restart Required: No

Instructions:

Check vendor website for firmware updates. If no patch available, consider replacing affected devices with supported models.

🔧 Temporary Workarounds

Disable WAN Management

all

Prevent external access to router management interface

Access router admin panel → Security → Remote Management → Disable

Network Segmentation

all

Isolate routers in separate VLAN with restricted access

🧯 If You Can't Patch

  • Replace affected routers with supported models from different vendors
  • Implement strict firewall rules blocking all external access to router management interfaces

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin panel: System Status → Firmware Version

Check Version:

Login to router web interface and navigate to firmware information page

Verify Fix Applied:

Verify firmware version is updated beyond vulnerable versions or test with known exploit payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual ping commands with special characters in router logs
  • Multiple failed authentication attempts followed by ping requests

Network Indicators:

  • HTTP requests to router management interface with shell metacharacters in parameters
  • Outbound connections from router to unexpected destinations

SIEM Query:

source="router_logs" AND (message="ping" AND (message="$" OR message="|" OR message="&"))

📊 Metadata

CVE ID: CVE-2021-26747
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: February 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26747, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)