CVE-2021-20991

Public Exploit

Fibaro Home Center Authenticated remote command execution

Description

In Fibaro Home Center 2 and Lite devices with firmware version 4.540 and older an authenticated user can run commands as root user using a command injection vulnerability.

References

Link	Tags
https://www.iot-inspector.com/blog/advisory-fibaro-home-center/	third party advisory exploit
http://seclists.org/fulldisclosure/2021/Apr/27	mailing list third party advisory
http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-Authentication-Code-Execution.html	vdb entry third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2021-20991?: CVE-2021-20991 has been scored as a critical severity vulnerability.
How to fix CVE-2021-20991?: To fix CVE-2021-20991, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-20991 being actively exploited in the wild?: It is possible that CVE-2021-20991 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~24% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-20991?: CVE-2021-20991 affects Fibar Group S.A Fibaro Home Center.

Description

Categories

CWE-78 – Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-77 – Improper Neutralization of Special Elements used in a Command ('Command Injection')

References

Frequently Asked Questions