Login Sign Up

CVE-2021-26824

7.1 HIGH
Authentication Bypass

📋 TL;DR

CVE-2021-26824 is an authentication bypass vulnerability in DM FingerTool v1.19 on DM PD065 Secure USB devices. It allows local attackers to replay authentication data and gain full access to all USB features and stored data without proper credentials. This affects users of these specific USB devices with the vulnerable software.

💻 Affected Systems

Products:
  • DM FingerTool
  • DM PD065 Secure USB
Versions: v1.19
Operating Systems: Windows, Linux, macOS (any OS where the USB is used)
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is in the fingerprint authentication software on the USB device itself, not dependent on host OS configuration.

📦 What is this software?

Dm Fingertool by Dm Fingertool Project

View all CVEs affecting Dm Fingertool →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all encrypted/sensitive data stored on the USB device, including potential exposure of credentials, documents, and other protected information.

🟠

Likely Case

Unauthorized access to USB contents by someone with physical access to the device, leading to data theft or manipulation.

🟢

If Mitigated

Limited impact if USB is stored securely and access is physically controlled, though vulnerability remains present.

🌐 Internet-Facing: LOW - This is a local physical device vulnerability requiring physical access to the USB device.
🏢 Internal Only: MEDIUM - Risk exists when devices are used internally, especially if left unattended or shared between users.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Replay attack requires capturing authentication data, which can be done with physical access to the device during legitimate authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Consider replacing affected USB devices with updated models or using alternative secure storage solutions.

🔧 Temporary Workarounds

Discontinue use of affected devices

all

Stop using DM PD065 Secure USB devices with FingerTool v1.19 for sensitive data storage

Implement additional encryption layer

all

Use third-party encryption software (like VeraCrypt) on top of the USB's built-in protection

🧯 If You Can't Patch

  • Physically secure USB devices when not in use (locked storage)
  • Limit sensitive data stored on these devices and use alternative secure storage methods

🔍 How to Verify

Check if Vulnerable:

Check USB device model and FingerTool version. If using DM PD065 Secure USB with FingerTool v1.19, device is vulnerable.

Check Version:

Check FingerTool software version through its interface or documentation

Verify Fix Applied:

No fix available to verify. Consider device replacement as primary mitigation.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed authentication attempts followed by successful access
  • Unusual access patterns to USB contents

Network Indicators:

  • Not applicable - local physical device attack

SIEM Query:

Not applicable for this physical device vulnerability

📊 Metadata

CVE ID: CVE-2021-26824
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-294
Published: July 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26824, you might also want to check these:

CVE-2025-49752 10.0

CVE-2025-49752 is an elevation of privilege vulnerability in Azure Bastion that allows authenticated...

Same vulnerability type (CWE-294)
CVE-2022-29334 9.8

CVE-2022-29334 is an authentication bypass vulnerability in H v1.0 that allows attackers to gain una...

Same vulnerability type (CWE-294)
CVE-2018-17932 9.8

CVE-2018-17932 affects JUUKO K-800 industrial control devices, allowing attackers to replay commands...

Same vulnerability type (CWE-294)