Login Sign Up

CVE-2021-3297

7.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated attackers to gain administrator access to Zyxel NBG2105 routers by setting a login cookie value to 1. It affects users of Zyxel NBG2105 devices with specific firmware versions, enabling complete device compromise.

💻 Affected Systems

Products:
  • Zyxel NBG2105
Versions: V1.00(AAGU.2)C0
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the specific firmware version mentioned; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

Nbg2105 Firmware by Zyxel

View all CVEs affecting Nbg2105 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing attackers to reconfigure network settings, intercept traffic, install malware, or use the device as a pivot point into internal networks.

🟠

Likely Case

Unauthorized administrative access leading to network configuration changes, DNS hijacking, or credential theft from connected devices.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted administrative access and network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing, making them directly accessible to attackers.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they gain network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple cookie manipulation attack requiring minimal technical skill; exploit details are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for latest patched version

Vendor Advisory: https://www.zyxel.com/support/SupportLandingSR.shtml?c=gb&l=en&kbid=M-01490&md=NBG2105

Restart Required: Yes

Instructions:

1. Access Zyxel support portal. 2. Download latest firmware for NBG2105. 3. Log into router admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot device.

🔧 Temporary Workarounds

Restrict Administrative Access

all

Limit administrative interface access to specific IP addresses or disable remote administration.

Network Segmentation

all

Place router on isolated management network segment with strict firewall rules.

🧯 If You Can't Patch

  • Replace affected device with supported model
  • Implement network monitoring for unauthorized administrative access attempts

🔍 How to Verify

Check if Vulnerable:

Attempt to access admin interface with 'login=1' cookie set; if successful without credentials, device is vulnerable.

Check Version:

Log into router admin interface and check firmware version in system status page

Verify Fix Applied:

After patching, attempt same cookie manipulation; access should be denied without proper authentication.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized admin login attempts
  • Successful logins from unusual IP addresses
  • Configuration changes without authorized user activity

Network Indicators:

  • HTTP requests with 'login=1' cookie to router admin interface
  • Unusual administrative traffic patterns

SIEM Query:

source="router_logs" AND (cookie="login=1" OR "admin" AND "unauthorized")

📊 Metadata

CVE ID: CVE-2021-3297
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287
Published: January 26, 2021
Last Updated: November 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3297, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)