CVE-2021-47741
📋 TL;DR
This vulnerability allows limited administrative users on ZBL EPON ONU Broadband Router V100R001 to escalate privileges by accessing configuration endpoints. Attackers can obtain the super user password via configuration backup or password pages, gaining full administrative control. Organizations using these routers are affected.
💻 Affected Systems
- ZBL EPON ONU Broadband Router
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full router compromise allowing attacker to reconfigure network settings, intercept traffic, disable security features, and potentially pivot to internal networks.
Likely Case
Unauthorized administrative access leading to network configuration changes, service disruption, and credential theft.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized users from reaching router management interfaces.
🎯 Exploit Status
Exploit requires existing limited administrative access. Public exploit code available on Exploit-DB.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: No vendor advisory found
Restart Required: No
Instructions:
No official patch available. Check vendor website for firmware updates.
🔧 Temporary Workarounds
Restrict Access to Configuration Endpoints
allBlock access to configuration backup and password pages for limited admin users
Configure router ACL to deny limited users access to /config/backup and /password endpoints
Single Admin Account
allRemove limited privilege accounts and use only single super admin account
Delete all limited admin accounts via router admin interface
🧯 If You Can't Patch
- Segment router management interface to isolated VLAN accessible only to trusted administrators
- Implement network monitoring for unusual configuration changes or backup requests
🔍 How to Verify
Check if Vulnerable:
Test if limited admin user can access /config/backup or /password endpoints and retrieve super user credentialsCheck Version:
Check router web interface or CLI for firmware version (should show V100R001 if vulnerable)Verify Fix Applied:
Verify limited admin users cannot access configuration endpoints or retrieve super user passwords📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by configuration backup requests
- Unusual admin account activity from limited privilege users
Network Indicators:
- HTTP requests to /config/backup or /password endpoints from non-super-admin accounts
SIEM Query:
source="router_logs" AND (uri="/config/backup" OR uri="/password") AND user!="superadmin"🔗 References
- http://www.zblchina.com
- https://web.archive.org/web/20211220094023/http://www.wd-thailand.com/
- https://www.exploit-db.com/exploits/49737
- https://www.vulncheck.com/advisories/zbl-epon-onu-broadband-router-vr-privilege-escalation-via-configuration-endpoint
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5647.php
