CVE-2021-28293 – CVE-2021-28293 is an unauthenticated account ta... (How to Fix)

Q: What is the severity of CVE-2021-28293?

CVE-2021-28293 has a CVSS score of 9.8 (CRITICAL). CVE-2021-28293 is an unauthenticated account takeover vulnerability in Seceon aiSIEM's password reset functionality. Attackers can set arbitrary passwords for any user without authentication, potentially compromising the entire security monitoring system. Organizations using affected versions of Seceon aiSIEM are vulnerable.

📋 TL;DR

CVE-2021-28293 is an unauthenticated account takeover vulnerability in Seceon aiSIEM's password reset functionality. Attackers can set arbitrary passwords for any user without authentication, potentially compromising the entire security monitoring system. Organizations using affected versions of Seceon aiSIEM are vulnerable.

💻 Affected Systems

Products:

Seceon aiSIEM

Versions: All versions before 6.3.2 (build 585)

Operating Systems: Any OS running Seceon aiSIEM

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration of the Forgot Password feature.

📦 What is this software?

Aisiem by Seceon

View all CVEs affecting Aisiem →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the SIEM system, allowing attackers to disable security monitoring, access sensitive log data, and pivot to other systems in the network.

🟠

Likely Case

Unauthorized access to the SIEM console, manipulation of security alerts, and potential data exfiltration of security logs.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to the vulnerable interface.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and can be exploited remotely if the affected interface is exposed to the internet.

🏢 Internal Only: HIGH - Even internally, any attacker on the network can exploit this to take over accounts and compromise the SIEM system.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the vulnerable interface but no authentication or special privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.3.2 (build 585) or later

Vendor Advisory: https://www.seceon.com/advanced-siem-aisiem

Restart Required: Yes

Instructions:

1. Upgrade to Seceon aiSIEM version 6.3.2 (build 585) or later. 2. Follow vendor upgrade procedures. 3. Restart the aiSIEM services after upgrade.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to the aiSIEM web interface to trusted IP addresses only.

iptables -A INPUT -p tcp --dport [aiSIEM_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [aiSIEM_PORT] -j DROP

Disable Password Reset Feature

all

Temporarily disable the Forgot Password functionality if possible in the configuration.

🧯 If You Can't Patch

Implement strict network segmentation to isolate the aiSIEM system from untrusted networks
Enable multi-factor authentication for all administrative accounts if supported

🔍 How to Verify

Check if Vulnerable:

Check the aiSIEM version in the web interface or via system logs. If version is below 6.3.2 (build 585), the system is vulnerable.

Check Version:

Check the web interface login page or admin console for version information

Verify Fix Applied:

Verify the version is 6.3.2 (build 585) or higher and test the password reset functionality to ensure it requires proper authentication.

📡 Detection & Monitoring

Log Indicators:

Multiple failed password reset attempts from single IP
Successful password reset for administrative accounts from unusual IPs
Account lockout events following password changes

Network Indicators:

Unusual HTTP POST requests to password reset endpoints
Traffic to aiSIEM web interface from unexpected sources

SIEM Query:

source="aiSIEM_logs" AND (event_type="password_reset" OR event_type="account_takeover")

📊 Metadata

CVE ID: CVE-2021-28293

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-640

Published: June 8, 2021

Last Updated: November 21, 2024

🔗 References

https://0xdb9.in/2021/06/07/cve-2021-28293.html Exploit,Third Party Advisory
https://www.seceon.com/advanced-siem-aisiem Product,Vendor Advisory
https://0xdb9.in/2021/06/07/cve-2021-28293.html Exploit,Third Party Advisory
https://www.seceon.com/advanced-siem-aisiem Product,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28293, you might also want to check these: