CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2021-20090

CVSS 9.8v3.1pub. 2021-04-29upd. 2025-11-03

A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Buffalo Wsr 2533dhp3 Bk

    HW
    Buffalo
    wszystkie wersje
  • Buffalo Wsr 2533dhp3 Bk Firmware

    OS
    Buffalo
    ≤ 1.24
  • Buffalo Wsr 2533dhpl2 Bk

    HW
    Buffalo
    wszystkie wersje
  • Buffalo Wsr 2533dhpl2 Bk Firmware

    OS
    Buffalo
    ≤ 1.02

CISA KEV — detailsi

Vendori
Arcadyan
Producti
Buffalo Firmware
Added to KEVi
November 3, 2021
Remediation deadline (US Federal)i
November 17, 2021(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Arcadyan Buffalo firmware contains a path traversal vulnerability that could allow unauthenticated, remote attackers to bypass authentication and access sensitive information. This vulnerability affects multiple routers across several different vendors.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 17 listopada 2021
Tags
Path TraversalAuth Bypass
CWE
References

Related vulnerabilities

CVE-2021-20091HIGH8.8ten sam produkt

The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24...

CVE-2021-20092HIGH7.5ten sam produkt

The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24...

CVE-2026-45777CRITICAL9.3PL ✓ten sam vendor

RCE poprzez command injection w Open XDMoD (wersje 9.5.0–11.0.2)

CVE-2026-45779CRITICAL9.3PL ✓ten sam vendor

SQL Injection w Open XDMoD — nieuwierzytelniony dostęp do bazy danych

CVE-2024-23486CRITICAL9.8PL ✓ten sam vendor

Buffalo WSR-2533DHP — hasło przechowywane w postaci jawnej (plaintext)