CVE-2021-33538

EUVD-2021-20230
In Weidmueller Industrial WLAN devices in multiple versions an exploitable improper access control vulnerability exists in the iw_webs account settings functionality. A specially crafted user name entry can cause the overwrite of an existing user account password, resulting in remote shell access to the device as that user. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CERTVDECNA
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 64%
Affected Products (NVD)
VendorProductVersion
weidmuellerie-wl-bl-ap-cl-eu_firmware
𝑥
≤ 1.16.18
weidmuellerie-wlt-bl-ap-cl-eu_firmware
𝑥
≤ 1.16.18
weidmuellerie-wl-bl-ap-cl-us_firmware
𝑥
≤ 1.16.18
weidmuellerie-wlt-bl-ap-cl-us_firmware
𝑥
≤ 1.16.18
weidmuellerie-wl-vl-ap-br-cl-eu_firmware
𝑥
≤ 1.16.18
weidmuellerie-wlt-vl-ap-br-cl-eu_firmware
𝑥
≤ 1.16.18
weidmuellerie-wl-vl-ap-br-cl-us_firmware
𝑥
≤ 1.16.18
weidmuellerie-wlt-vl-ap-br-cl-us_firmware
𝑥
≤ 1.16.18
weidmuellerie-wl-bl-ap-cl-eu_firmware
𝑥
≤ 1.11.10
weidmuellerie-wlt-bl-ap-cl-eu_firmware
𝑥
≤ 1.11.10
weidmuellerie-wl-bl-ap-cl-us_firmware
𝑥
≤ 1.11.10
weidmuellerie-wlt-bl-ap-cl-us_firmware
𝑥
≤ 1.11.10
weidmuellerie-wl-vl-ap-br-cl-eu_firmware
𝑥
≤ 1.11.10
weidmuellerie-wlt-vl-ap-br-cl-eu_firmware
𝑥
≤ 1.11.10
weidmuellerie-wl-vl-ap-br-cl-us_firmware
𝑥
≤ 1.11.10
weidmuellerie-wlt-vl-ap-br-cl-us_firmware
𝑥
≤ 1.11.10
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://cert.vde.com/en-us/advisories/vde-2021-026
https://cert.vde.com/en-us/advisories/vde-2021-026