Login Sign Up

CVE-2021-45814

9.8 CRITICAL
SQL Injection Authentication Bypass

📋 TL;DR

CVE-2021-45814 is a critical SQL injection vulnerability in Nettmp NNT 5.1 that allows attackers to bypass authentication and gain administrative access to the system. This affects all organizations using the vulnerable version of Nettmp NNT software. Attackers can exploit this to take full control of affected systems.

💻 Affected Systems

Products:
  • Nettmp NNT
Versions: Version 5.1
Operating Systems: Not specified, likely multiple
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the authentication mechanism and affects default installations.

📦 What is this software?

Nnt by Nettemp

View all CVEs affecting Nnt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative privileges, allowing data theft, system manipulation, and potential lateral movement to other systems.

🟠

Likely Case

Unauthorized administrative access leading to data exfiltration, configuration changes, and installation of backdoors or malware.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and regular monitoring in place.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet if the panel is exposed, allowing remote attackers to gain administrative access.
🏢 Internal Only: HIGH - Even internally, this allows privilege escalation and administrative access to critical systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code is available, making this easily exploitable by attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified

Vendor Advisory: Not found in provided references

Restart Required: No

Instructions:

1. Check vendor website for security updates
2. Apply any available patches immediately
3. If no patch exists, implement workarounds and consider alternative solutions

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules to block exploitation attempts

Network Segmentation

all

Restrict access to Nettmp NNT panel to only trusted IP addresses/networks

🧯 If You Can't Patch

  • Isolate the system from the internet and restrict internal access
  • Implement additional authentication layers and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check if running Nettmp NNT version 5.1. Review authentication logs for SQL injection patterns.

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Test authentication bypass attempts after implementing controls. Verify no unauthorized administrative access is possible.

📡 Detection & Monitoring

Log Indicators:

  • SQL syntax errors in authentication logs
  • Multiple failed login attempts followed by successful admin login from unusual IP
  • Unusual database queries in application logs

Network Indicators:

  • SQL injection patterns in HTTP requests to authentication endpoints
  • Unusual traffic to admin panel from external sources

SIEM Query:

source="*nettmp*" AND ("sql" OR "injection" OR "union select" OR "' OR '1'='1")

📊 Metadata

CVE ID: CVE-2021-45814
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: December 28, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45814, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)