Login Sign Up

CVE-2021-37130

7.5 HIGH
Path Traversal

📋 TL;DR

This path traversal vulnerability in Huawei FusionCube allows attackers to access files outside restricted directories by manipulating filenames. It affects Huawei FusionCube 6.0.2 installations where the vulnerable component is exposed. Attackers could potentially read sensitive system files or configuration data.

💻 Affected Systems

Products:
  • Huawei FusionCube
Versions: 6.0.2
Operating Systems: Linux-based Huawei OS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Huawei FusionCube 6.0.2; other versions are not vulnerable according to vendor advisory.

📦 What is this software?

Fusioncube Firmware by Huawei

View all CVEs affecting Fusioncube Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through reading sensitive configuration files, credentials, or system files that could lead to further exploitation.

🟠

Likely Case

Unauthorized access to sensitive files containing configuration data, logs, or potentially credentials stored in accessible directories.

🟢

If Mitigated

Limited impact with proper network segmentation, file system permissions, and input validation controls in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Path traversal vulnerabilities typically have low exploitation complexity, but specific exploit details are not publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to version beyond 6.0.2 (consult Huawei for specific patched version)

Vendor Advisory: https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20211020-01-pathtraversal-en

Restart Required: Yes

Instructions:

1. Download the security patch from Huawei support portal. 2. Apply the patch following Huawei's official documentation. 3. Restart affected services or the entire system as required. 4. Verify the patch was successfully applied.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement strict input validation to reject path traversal sequences like '../' in filenames

# Requires application-level code changes; no direct command

File System Permissions Hardening

linux

Restrict file system permissions to limit what directories the vulnerable service can access

chmod 750 /restricted/directories
chown root:servicegroup /restricted/directories

🧯 If You Can't Patch

  • Implement network segmentation to isolate FusionCube from untrusted networks
  • Deploy web application firewall (WAF) with path traversal protection rules

🔍 How to Verify

Check if Vulnerable:

Check Huawei FusionCube version: cat /etc/huawei-release or equivalent version file

Check Version:

cat /etc/huawei-release 2>/dev/null || huawei-version-check

Verify Fix Applied:

Verify version is updated beyond 6.0.2 and test path traversal attempts are blocked

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed file access attempts with '../' sequences
  • Unusual file access patterns from single source

Network Indicators:

  • HTTP requests containing '../' sequences in filenames or parameters

SIEM Query:

source="fusioncube_logs" AND ("../" OR "..\" OR "%2e%2e%2f")

📊 Metadata

CVE ID: CVE-2021-37130
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22
Published: October 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37130, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)