CVE-2021-45427 – CVE-2021-45427 allows unauthenticated attackers... (How to Fix)

Q: What is the severity of CVE-2021-45427?

CVE-2021-45427 has a CVSS score of 9.8 (CRITICAL). CVE-2021-45427 allows unauthenticated attackers to delete arbitrary files on Emerson XWEB 300D EVO systems due to path traversal vulnerabilities and incorrect access controls. This affects industrial control systems running vulnerable versions, potentially disrupting critical operations.

📋 TL;DR

CVE-2021-45427 allows unauthenticated attackers to delete arbitrary files on Emerson XWEB 300D EVO systems due to path traversal vulnerabilities and incorrect access controls. This affects industrial control systems running vulnerable versions, potentially disrupting critical operations.

💻 Affected Systems

Products:

Emerson XWEB 300D EVO

Versions: 3.0.7--3ee403

Operating Systems: Not specified, likely embedded industrial OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with the vulnerable firmware version; no special configuration required for exploitation.

📦 What is this software?

Xweb300d Evo Firmware by Emerson

View all CVEs affecting Xweb300d Evo Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, configuration files, or application binaries leading to system crashes, data loss, and operational disruption in industrial environments.

🟠

Likely Case

Unauthenticated attackers deleting web application files, configuration files, or log files causing service disruption, loss of operational data, and potential denial of service.

🟢

If Mitigated

Limited impact with proper network segmentation, authentication requirements, and file permission controls preventing unauthorized access to critical systems.

🌐 Internet-Facing: HIGH - Systems exposed to internet are directly exploitable without authentication, allowing immediate file deletion attacks.

🏢 Internal Only: HIGH - Even internally, unauthenticated access means any network-accessible vulnerable system can be exploited by malicious insiders or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests with path traversal sequences; no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in available references

Vendor Advisory: Not provided in references

Restart Required: No

Instructions:

Contact Emerson for updated firmware or security patches. Check Emerson's security advisories for official remediation guidance.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Emerson XWEB systems from untrusted networks and internet access

Access Control Lists

all

Implement strict firewall rules to limit access to Emerson XWEB systems only from authorized management stations

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems from untrusted networks
Deploy web application firewalls (WAF) with path traversal protection rules

🔍 How to Verify

Check if Vulnerable:

Check firmware version via device web interface or management console. If version is 3.0.7--3ee403, system is vulnerable.

Check Version:

Check via device web interface or Emerson management tools; no universal CLI command available.

Verify Fix Applied:

Verify firmware has been updated to a version beyond 3.0.7--3ee403. Test with controlled path traversal attempts (in safe environment).

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing '../' sequences or attempts to access/delate files outside web root
Unauthenticated file deletion attempts in web server logs

Network Indicators:

HTTP DELETE or POST requests with path traversal sequences to Emerson XWEB systems

SIEM Query:

source="web_logs" AND (uri="*../*" OR method="DELETE") AND dest_ip="[XWEB_IP]"

📊 Metadata

CVE ID: CVE-2021-45427

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: December 30, 2021

Last Updated: November 21, 2024

🔗 References

https://drive.google.com/file/d/1IN7p9OKRgdszMVC1TKuZQDa4ySCPmQzO/view?usp=sharing Third Party Advisory
https://drive.google.com/file/d/1RegGlCrtyQwW9DUirAbPDiIHKBWgsBea/view?usp=sharing Third Party Advisory
https://drive.google.com/file/d/1iusYdheb62dom0DnvAzEiNR-e4EXSf2k/view?usp=sharing Exploit,Third Party Advisory
https://drive.google.com/file/d/1IN7p9OKRgdszMVC1TKuZQDa4ySCPmQzO/view?usp=sharing Third Party Advisory
https://drive.google.com/file/d/1RegGlCrtyQwW9DUirAbPDiIHKBWgsBea/view?usp=sharing Third Party Advisory
https://drive.google.com/file/d/1iusYdheb62dom0DnvAzEiNR-e4EXSf2k/view?usp=sharing Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45427, you might also want to check these: