Login Sign Up

CVE-2021-26797

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This critical vulnerability in Hame SD1 Wi-Fi firmware allows attackers to gain administrator access through an open Telnet service with default credentials. It affects all Hame SD1 Wi-Fi devices running firmware version V.20140224154640 or earlier. Attackers can completely compromise affected devices.

💻 Affected Systems

Products:
  • Hame SD1 Wi-Fi device
Versions: All versions <= V.20140224154640
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: The Telnet service is enabled by default with weak/default credentials that cannot be changed by users.

📦 What is this software?

Hame Sd1 Wi Fi Firmware by Hametech

View all CVEs affecting Hame Sd1 Wi Fi Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing attackers to intercept all network traffic, install malware, pivot to other network devices, and maintain persistent access.

🟠

Likely Case

Attackers gain full administrative control of the Wi-Fi device, enabling them to monitor network traffic, change device settings, and potentially access connected devices.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the compromised device only.

🌐 Internet-Facing: HIGH - Devices exposed to the internet can be directly attacked without any authentication required.
🏢 Internal Only: HIGH - Even internally, any attacker on the network can exploit this vulnerability without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only Telnet access to the device with default credentials. No special tools or skills needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None available

Vendor Advisory: No vendor advisory found

Restart Required: No

Instructions:

No official patch exists. Replace affected devices or implement workarounds.

🔧 Temporary Workarounds

Disable Telnet service

all

Disable the Telnet service if the device configuration allows it

Check device admin interface for Telnet disable option

Network access control

linux

Block Telnet port (23) at network perimeter and internally

iptables -A INPUT -p tcp --dport 23 -j DROP
firewall-cmd --permanent --add-port=23/tcp
firewall-cmd --reject

🧯 If You Can't Patch

  • Isolate affected devices in separate VLAN with strict access controls
  • Replace affected Hame SD1 devices with secure alternatives

🔍 How to Verify

Check if Vulnerable:

Attempt Telnet connection to device on port 23 with default credentials (admin/admin or similar)

Check Version:

Check device web interface or console for firmware version

Verify Fix Applied:

Verify Telnet port 23 is closed or inaccessible, and alternative access methods are secured

📡 Detection & Monitoring

Log Indicators:

  • Failed/successful Telnet authentication attempts
  • Unexpected configuration changes

Network Indicators:

  • Telnet connections to device IP on port 23
  • Unusual outbound connections from device

SIEM Query:

source_port=23 OR destination_port=23 AND (event_type="authentication" OR event_type="connection")

📊 Metadata

CVE ID: CVE-2021-26797
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-521
Published: April 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26797, you might also want to check these:

CVE-2021-20418 9.8

IBM Security Guardium 11.2 has a weak default password policy that doesn't enforce strong passwords,...

Same vulnerability type (CWE-521)
CVE-2021-41296 9.8

ECOA BAS controllers use weak default administrative credentials that can be easily guessed in remot...

Same vulnerability type (CWE-521)
CVE-2020-29591 9.8

This vulnerability allows remote attackers to gain root access to Docker registry containers by usin...

Same vulnerability type (CWE-521)