Login Sign Up

CVE-2021-41104

7.5 HIGH
Authentication Bypass

📋 TL;DR

ESPHome versions 2021.9.1 and older with web_server enabled and HTTP basic auth configured are vulnerable to authentication bypass. Attackers can perform over-the-air (OTA) firmware updates without providing valid credentials, potentially compromising ESP8266/ESP32 devices. This affects users who have enabled the web_server component with basic authentication.

💻 Affected Systems

Products:
  • ESPHome
Versions: 2021.9.1 and older
Operating Systems: ESP8266/ESP32 firmware
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when web_server is enabled AND HTTP basic auth is configured. Default configurations without web_server are not affected.

📦 What is this software?

Esphome Firmware by Esphome

View all CVEs affecting Esphome Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could upload malicious firmware to take complete control of the device, potentially creating botnet nodes, stealing data, or disrupting operations.

🟠

Likely Case

Unauthorized firmware modification leading to device malfunction, data exfiltration, or lateral movement within the network.

🟢

If Mitigated

If proper network segmentation and access controls are in place, impact is limited to the affected device only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to the device's web interface but no authentication credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2021.9.2

Vendor Advisory: https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm

Restart Required: Yes

Instructions:

1. Update ESPHome to version 2021.9.2 or newer. 2. Recompile and flash firmware to affected devices. 3. Verify web_server authentication now properly validates credentials for OTA updates.

🔧 Temporary Workarounds

Disable web_server

all

Remove or disable the web_server component from ESPHome configuration

Remove 'web_server:' section from configuration YAML

🧯 If You Can't Patch

  • Implement network segmentation to isolate ESP devices from untrusted networks
  • Use firewall rules to restrict access to ESP web interfaces to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Check ESPHome version in device logs or web interface. If version is 2021.9.1 or older AND web_server is enabled with basic auth, device is vulnerable.

Check Version:

Check ESPHome logs or web interface for version information

Verify Fix Applied:

After updating to 2021.9.2+, attempt OTA update without valid credentials - it should fail with authentication error.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized OTA update attempts
  • Failed authentication logs followed by successful OTA

Network Indicators:

  • HTTP POST requests to /update endpoint without proper authentication headers

SIEM Query:

source="esphome" AND (event="ota_update" AND NOT auth_success="true")

📊 Metadata

CVE ID: CVE-2021-41104
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-306
Published: September 28, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41104, you might also want to check these:

CVE-2025-32433 10.0

This CVE describes a critical vulnerability in Erlang/OTP's SSH server that allows unauthenticated r...

Same vulnerability type (CWE-306)
CVE-2026-23693 10.0

The ElementsKit Lite WordPress plugin versions before 3.7.9 expose an unauthenticated REST endpoint ...

Same vulnerability type (CWE-306)
CVE-2025-58083 10.0

The General Industrial Controls Lynx+ Gateway has a critical authentication bypass vulnerability in ...

Same vulnerability type (CWE-306)