10

CVE-2021-35978

An issue was discovered in Digi TransPort DR64, SR44 VC74, and WR. The ZING protocol allows arbitrary remote command execution with SUPER privileges. This allows an attacker (with knowledge of the protocol) to execute arbitrary code on the controller including overwriting firmware, adding/removing users, disabling the internal firewall, etc.

Data is provided by the National Vulnerability Database (NVD)
DigiTransport Dr64 Firmware Version <= 5.2.4.9
   DigiTransport Dr64 Version-
DigiTransport Vc74 Firmware Version <= 5.2.4.9
   DigiTransport Vc74 Version-
DigiTransport Wr11 Firmware Version <= 8.2.1.3
   DigiTransport Wr11 Version-
DigiTransport Wr11 Xt Firmware Version <= 8.2.1.3
   DigiTransport Wr11 Xt Version-
DigiTransport Wr21 Firmware Version <= 8.2.1.3
   DigiTransport Wr21 Version-
DigiTransport Wr31 Firmware Version <= 8.2.1.3
   DigiTransport Wr31 Version-
DigiTransport Wr41 Firmware Version >= 5.0.0.0 <= 5.2.4.6
   DigiTransport Wr41 Version-
DigiTransport Wr41 Firmware Version >= 6.0.0.0 <= 6.1.3.5
   DigiTransport Wr41 Version-
DigiTransport Wr41 Firmware Version >= 8.0.0.0 <= 8.3.1.2
   DigiTransport Wr41 Version-
DigiTransport Wr44 Firmware Version <= 8.3.1.2
   DigiTransport Wr44 Versionv2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 8.07% 0.913
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 10 10 10
AV:N/AC:L/Au:N/C:C/I:C/A:C
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://digi.com
Vendor Advisory