CriticalCISA KEVExploited in the wildPublic exploit

Authentication bypass via path traversal in Buffalo WSR-2533DHPL2/WSR-2533DHP3 web interface

IdentifiersCVE-2021-20090CWE-22· Improper Limitation of a Pathname…

CVE-2021-20090 is a path traversal vulnerability in the web management interface of Buffalo WSR-2533DHPL2 firmware version 1.02 and earlier and WSR-2533DHP3 firmware version 1.24 and earlier. The flaw affects Arcadyan-based router firmware and allows a remote, unauthenticated attacker to use crafted traversal sequences against the web interface to reach protected resources without authenticating. According to the provided advisory context, exploitation can expose sensitive information, including valid request tokens, and can permit modification of router configuration. In effect, the traversal condition enables authentication bypass by granting access to resources that should be restricted behind the administrative interface.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to bypass authentication controls on the router web interface, access protected resources, retrieve sensitive information such as valid request tokens, and alter router settings. This can result in compromise of the router itself and may expose or endanger systems and traffic behind the device by enabling malicious reconfiguration of network services or administrative parameters.

Mitigation

If you can’t patch tonight, do this now.

If an update cannot be applied immediately, disable WAN-side/remote administration and disable exposure of the web management interface from untrusted networks, especially the Internet. Restrict administrative access to trusted internal hosts or a management network until patched. Reducing or eliminating web interface exposure is the primary temporary mitigation described in the provided advisory context.

Remediation

Patch, then assume compromise.

Apply the vendor-provided firmware update that fixes CVE-2021-20090. Specifically, affected Buffalo devices should be upgraded from WSR-2533DHPL2 firmware 1.02 or earlier and WSR-2533DHP3 firmware 1.24 or earlier to a non-vulnerable release provided by the vendor. Where broader Arcadyan-based affected products are in scope, use the relevant vendor firmware that addresses the flaw.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

BuffaloWsr-2533dhp3-Bk Firmwareoperating_system

BuffaloWsr-2533dhpl2-Bk Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

security online infoNews

Nov 28, 2024

35 Million Devices Vulnerable: Matrix DDoS Campaign Highlights Growing IoT Threat

A vulnerability in Arcadyan-based router firmware, exploited for unauthorized access and botnet recruitment.

infosecurity magazine comNews

Nov 26, 2024

New DDoS Campaign Exploits IoT Devices and Server Misconfigurations

A directory traversal vulnerability in certain router models that allows unauthenticated remote attackers to access sensitive information or execute commands.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware4

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2021-20090

NVD

nvd.nist.gov/vuln/detail/CVE-2021-20090

MITRE CWE · CWE-22

Improper Limitation of a Pathname to a…

Third Party Advisory

kb.cert.org/vuls/id/914124

Third Party Advisory

secpod.com/blog/arcadyan-based-routers-and-modems-under-active-exploitation

Third Party Advisory

tenable.com/security/research/tra-2021-13

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20090