CVE-2021-44080 – This vulnerability allows authenticated adminis... (How to Fix)

Q: What is the severity of CVE-2021-44080?

CVE-2021-44080 has a CVSS score of 7.2 (HIGH). This vulnerability allows authenticated administrators on SerComm h500s devices to execute arbitrary operating system commands as root via command injection in the setup.cgi endpoint. It affects SerComm h500s devices running firmware version lowi-h500s-v3.4.22. Attackers with administrative credentials can achieve complete system compromise.

📋 TL;DR

This vulnerability allows authenticated administrators on SerComm h500s devices to execute arbitrary operating system commands as root via command injection in the setup.cgi endpoint. It affects SerComm h500s devices running firmware version lowi-h500s-v3.4.22. Attackers with administrative credentials can achieve complete system compromise.

💻 Affected Systems

Products:

SerComm h500s

Versions: lowi-h500s-v3.4.22

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrative authentication to exploit. Affects the httpd web server's setup.cgi component.

📦 What is this software?

H500s Firmware by Sercomm

View all CVEs affecting H500s Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover, installation of persistent backdoors, lateral movement to other network devices, data exfiltration, and use as a pivot point for further attacks.

🟠

Likely Case

Unauthorized administrative access leading to device configuration changes, credential harvesting, and potential network reconnaissance.

🟢

If Mitigated

Limited impact if strong authentication controls, network segmentation, and proper access controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrative credentials. The vulnerability is in the connection_type parameter of the statussupport_diagnostic_tracing.json endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check with SerComm for updated firmware

Vendor Advisory: https://www.sercomm.com

Restart Required: Yes

Instructions:

1. Check SerComm website for firmware updates. 2. Download appropriate firmware for h500s model. 3. Upload firmware via web interface. 4. Apply update and restart device.

🔧 Temporary Workarounds

Restrict Administrative Access

linux

Limit administrative access to trusted IP addresses only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable Diagnostic Tracing Endpoint

linux

Block access to the vulnerable endpoint if not needed

iptables -A INPUT -p tcp --dport 80 -m string --string "statussupport_diagnostic_tracing.json" --algo bm -j DROP

🧯 If You Can't Patch

Isolate device in separate VLAN with strict firewall rules
Implement multi-factor authentication for administrative access

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface or SSH: cat /etc/version | grep h500s

Check Version:

cat /etc/version

Verify Fix Applied:

Verify firmware version is updated beyond lowi-h500s-v3.4.22

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /cgi-bin/setup.cgi with connection_type parameter
Suspicious command execution patterns in system logs
Multiple failed authentication attempts followed by successful login

Network Indicators:

Unusual outbound connections from device
Traffic to suspicious IP addresses
Unexpected SSH or telnet sessions originating from device

SIEM Query:

source="httpd" AND uri="/cgi-bin/setup.cgi" AND (connection_type="*;*" OR connection_type="*|*" OR connection_type="*`*" OR connection_type="*$(*)")

📊 Metadata

CVE ID: CVE-2021-44080

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: June 2, 2022

Last Updated: November 21, 2024

🔗 References

https://research.nccgroup.com/2022/05/24/technical-advisory-sercomm-h500s-authenticated-remote-command-execution-cve-2021-44080/ Exploit,Third Party Advisory
https://www.sercomm.com Vendor Advisory
https://research.nccgroup.com/2022/05/24/technical-advisory-sercomm-h500s-authenticated-remote-command-execution-cve-2021-44080/ Exploit,Third Party Advisory
https://www.sercomm.com Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44080, you might also want to check these: