CVE-2021-27856

FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 includes an account named "cmuser" that has administrative privileges and no password. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA002.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
certccCNA
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
VendorProductVersion
fatpipeincipvpn_firmware
5.2.0:r34
fatpipeincipvpn_firmware
6.1.2:r70p26
fatpipeincipvpn_firmware
6.1.2:r70p45-m
fatpipeincipvpn_firmware
6.1.2:r70p75-m
fatpipeincipvpn_firmware
7.1.2:r39
fatpipeincipvpn_firmware
9.1.2:r129
fatpipeincipvpn_firmware
9.1.2:r144
fatpipeincipvpn_firmware
9.1.2:r150
fatpipeincipvpn_firmware
9.1.2:r156
fatpipeincipvpn_firmware
9.1.2:r161p12
fatpipeincipvpn_firmware
9.1.2:r161p16
fatpipeincipvpn_firmware
9.1.2:r161p17
fatpipeincipvpn_firmware
9.1.2:r161p2
fatpipeincipvpn_firmware
9.1.2:r161p20
fatpipeincipvpn_firmware
9.1.2:r161p26
fatpipeincipvpn_firmware
9.1.2:r161p3
fatpipeincipvpn_firmware
9.1.2:r164
fatpipeincipvpn_firmware
9.1.2:r164p4
fatpipeincipvpn_firmware
9.1.2:r164p5
fatpipeincipvpn_firmware
9.1.2:r165
fatpipeincipvpn_firmware
9.1.2:r180p2
fatpipeincipvpn_firmware
9.1.2:r185
fatpipeincipvpn_firmware
10.1.2:r60p10
fatpipeincipvpn_firmware
10.1.2:r60p13
fatpipeincipvpn_firmware
10.1.2:r60p32
fatpipeincipvpn_firmware
10.1.2:r60p35
fatpipeincipvpn_firmware
10.1.2:r60p45
fatpipeincipvpn_firmware
10.1.2:r60p55
fatpipeincipvpn_firmware
10.1.2:r60p58
fatpipeincipvpn_firmware
10.1.2:r60p58s1
fatpipeincipvpn_firmware
10.1.2:r60p65
fatpipeincipvpn_firmware
10.1.2:r60p71
fatpipeincipvpn_firmware
10.1.2:r60p82
fatpipeincipvpn_firmware
10.2.2:r10
fatpipeincipvpn_firmware
10.2.2:r25
fatpipeincipvpn_firmware
10.2.2:r38
fatpipeincmpvpn_firmware
5.2.0:r34
fatpipeincmpvpn_firmware
6.1.2:r70p26
fatpipeincmpvpn_firmware
6.1.2:r70p45-m
fatpipeincmpvpn_firmware
6.1.2:r70p75-m
fatpipeincmpvpn_firmware
7.1.2:r39
fatpipeincmpvpn_firmware
9.1.2:r129
fatpipeincmpvpn_firmware
9.1.2:r144
fatpipeincmpvpn_firmware
9.1.2:r150
fatpipeincmpvpn_firmware
9.1.2:r156
fatpipeincmpvpn_firmware
9.1.2:r161p12
fatpipeincmpvpn_firmware
9.1.2:r161p16
fatpipeincmpvpn_firmware
9.1.2:r161p17
fatpipeincmpvpn_firmware
9.1.2:r161p2
fatpipeincmpvpn_firmware
9.1.2:r161p20
fatpipeincmpvpn_firmware
9.1.2:r161p26
fatpipeincmpvpn_firmware
9.1.2:r161p3
fatpipeincmpvpn_firmware
9.1.2:r164
fatpipeincmpvpn_firmware
9.1.2:r164p4
fatpipeincmpvpn_firmware
9.1.2:r164p5
fatpipeincmpvpn_firmware
9.1.2:r165
fatpipeincmpvpn_firmware
9.1.2:r180p2
fatpipeincmpvpn_firmware
9.1.2:r185
fatpipeincmpvpn_firmware
10.1.2:r60p10
fatpipeincmpvpn_firmware
10.1.2:r60p13
fatpipeincmpvpn_firmware
10.1.2:r60p32
fatpipeincmpvpn_firmware
10.1.2:r60p35
fatpipeincmpvpn_firmware
10.1.2:r60p45
fatpipeincmpvpn_firmware
10.1.2:r60p55
fatpipeincmpvpn_firmware
10.1.2:r60p58
fatpipeincmpvpn_firmware
10.1.2:r60p58s1
fatpipeincmpvpn_firmware
10.1.2:r60p65
fatpipeincmpvpn_firmware
10.1.2:r60p71
fatpipeincmpvpn_firmware
10.1.2:r60p82
fatpipeincmpvpn_firmware
10.2.2:r10
fatpipeincmpvpn_firmware
10.2.2:r25
fatpipeincmpvpn_firmware
10.2.2:r38
fatpipeincwarp_firmware
5.2.0:r34
fatpipeincwarp_firmware
6.1.2:r70p26
fatpipeincwarp_firmware
6.1.2:r70p45-m
fatpipeincwarp_firmware
6.1.2:r70p75-m
fatpipeincwarp_firmware
7.1.2:r39
fatpipeincwarp_firmware
9.1.2:r129
fatpipeincwarp_firmware
9.1.2:r144
fatpipeincwarp_firmware
9.1.2:r150
fatpipeincwarp_firmware
9.1.2:r156
fatpipeincwarp_firmware
9.1.2:r161p12
fatpipeincwarp_firmware
9.1.2:r161p16
fatpipeincwarp_firmware
9.1.2:r161p17
fatpipeincwarp_firmware
9.1.2:r161p2
fatpipeincwarp_firmware
9.1.2:r161p20
fatpipeincwarp_firmware
9.1.2:r161p26
fatpipeincwarp_firmware
9.1.2:r161p3
fatpipeincwarp_firmware
9.1.2:r164
fatpipeincwarp_firmware
9.1.2:r164p4
fatpipeincwarp_firmware
9.1.2:r164p5
fatpipeincwarp_firmware
9.1.2:r165
fatpipeincwarp_firmware
9.1.2:r180p2
fatpipeincwarp_firmware
9.1.2:r185
fatpipeincwarp_firmware
10.1.2:r60p10
fatpipeincwarp_firmware
10.1.2:r60p13
fatpipeincwarp_firmware
10.1.2:r60p32
fatpipeincwarp_firmware
10.1.2:r60p35
fatpipeincwarp_firmware
10.1.2:r60p45
fatpipeincwarp_firmware
10.1.2:r60p55
fatpipeincwarp_firmware
10.1.2:r60p58
fatpipeincwarp_firmware
10.1.2:r60p58s1
fatpipeincwarp_firmware
10.1.2:r60p65
fatpipeincwarp_firmware
10.1.2:r60p71
fatpipeincwarp_firmware
10.1.2:r60p82
fatpipeincwarp_firmware
10.2.2:r10
fatpipeincwarp_firmware
10.2.2:r25
fatpipeincwarp_firmware
10.2.2:r38
𝑥
= Vulnerable software versions
References
https://www.fatpipeinc.com/support/cve-list.php
https://www.zeroscience.mk/codes/fatpipe_backdoor.txt
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php
https://www.fatpipeinc.com/support/cve-list.php
https://www.zeroscience.mk/codes/fatpipe_backdoor.txt
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php