10
CVE-2021-35978
- EPSS 8.07%
- Veröffentlicht 10.12.2021 13:15:07
- Zuletzt bearbeitet 21.11.2024 06:12:52
- Quelle cve@mitre.org
- Teams Watchlist Login
- Unerledigt Login
An issue was discovered in Digi TransPort DR64, SR44 VC74, and WR. The ZING protocol allows arbitrary remote command execution with SUPER privileges. This allows an attacker (with knowledge of the protocol) to execute arbitrary code on the controller including overwriting firmware, adding/removing users, disabling the internal firewall, etc.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Digi ≫ Transport Dr64 Firmware Version <= 5.2.4.9
Digi ≫ Transport Vc74 Firmware Version <= 5.2.4.9
Digi ≫ Transport Wr11 Firmware Version <= 8.2.1.3
Digi ≫ Transport Wr11 Xt Firmware Version <= 8.2.1.3
Digi ≫ Transport Wr21 Firmware Version <= 8.2.1.3
Digi ≫ Transport Wr31 Firmware Version <= 8.2.1.3
Digi ≫ Transport Wr41 Firmware Version >= 5.0.0.0 <= 5.2.4.6
Digi ≫ Transport Wr41 Firmware Version >= 6.0.0.0 <= 6.1.3.5
Digi ≫ Transport Wr41 Firmware Version >= 8.0.0.0 <= 8.3.1.2
Digi ≫ Transport Wr44 Firmware Version <= 8.3.1.2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 8.07% | 0.913 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 10 | 10 | 10 |
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.