CVSS: 9.0EPSS: 9%CPEs: 2EXPL: 1CVE-2021-20160
https://notcve.org/view.php?id=CVE-2021-20160
30 Dec 2021 — Trendnet AC2600 TEW-827DRU version 2.08B01 contains a command injection vulnerability in the smb functionality of the device. The username parameter used when configuring smb functionality for the device is vulnerable to command injection as root. Trendnet AC2600 TEW-827DRU versión 2.08B01, contiene una vulnerabilidad de inyección de comandos en la funcionalidad smb del dispositivo. El parámetro username usado cuando es configurada la funcionalidad smb para el dispositivo es vulnerable a una inyección de co... • https://www.tenable.com/security/research/tra-2021-54 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2021-20155
https://notcve.org/view.php?id=CVE-2021-20155
30 Dec 2021 — Trendnet AC2600 TEW-827DRU version 2.08B01 makes use of hardcoded credentials. It is possible to backup and restore device configurations via the management web interface. These devices are encrypted using a hardcoded password of "12345678". Trendnet AC2600 TEW-827DRU versión 2.08B01, usa credenciales embebidas. Es posible hacer una copia de seguridad y restaurar las configuraciones del dispositivo por medio de la interfaz web de administración. • https://www.tenable.com/security/research/tra-2021-54 • CWE-798: Use of Hard-coded Credentials •
CVSS: 6.9EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20153
https://notcve.org/view.php?id=CVE-2021-20153
30 Dec 2021 — Trendnet AC2600 TEW-827DRU version 2.08B01 contains a symlink vulnerability in the bittorrent functionality. If enabled, the bittorrent functionality is vulnerable to a symlink attack that could lead to remote code execution on the device. If an end user inserts a flash drive with a malicious symlink on it that the bittorrent client can write downloads to, then a user is able to download arbitrary files to any desired location on the devices filesystem, which could lead to remote code execution. Example dir... • https://www.tenable.com/security/research/tra-2021-54 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20154
https://notcve.org/view.php?id=CVE-2021-20154
30 Dec 2021 — Trendnet AC2600 TEW-827DRU version 2.08B01 contains an security flaw in the web interface. HTTPS is not enabled on the device by default. This results in cleartext transmission of sensitive information such as passwords. Trendnet AC2600 TEW-827DRU versión 2.08B01, contiene un fallo de seguridad en la interfaz web. HTTPS no está habilitado en el dispositivo por defecto. • https://www.tenable.com/security/research/tra-2021-54 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20152
https://notcve.org/view.php?id=CVE-2021-20152
30 Dec 2021 — Trendnet AC2600 TEW-827DRU version 2.08B01 lacks proper authentication to the bittorrent functionality. If enabled, anyone is able to visit and modify settings and files via the Bittorent web client by visiting: http://192.168.10.1:9091/transmission/web/ Trendnet AC2600 TEW-827DRU versión 2.08B01, carece de la autenticación apropiada para la funcionalidad bittorrent. Si está habilitada, cualquiera puede visitar y modificar la configuración y los archivos por medio del cliente web de Bittorent al visitar: ht... • https://www.tenable.com/security/research/tra-2021-54 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.0EPSS: 3%CPEs: 2EXPL: 1CVE-2021-20159
https://notcve.org/view.php?id=CVE-2021-20159
30 Dec 2021 — Trendnet AC2600 TEW-827DRU version 2.08B01 is vulnerable to command injection. The system log functionality of the firmware allows for command injection as root by supplying a malformed parameter. Trendnet AC2600 TEW-827DRU versión 2.08B01, es vulnerable a una inyección de comandos. La funcionalidad system log del firmware permite una inyección de comandos como root al suministrar un parámetro malformado. • https://www.tenable.com/security/research/tra-2021-54 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2021-20157
https://notcve.org/view.php?id=CVE-2021-20157
30 Dec 2021 — It is possible for an unauthenticated, malicious user to force the device to reboot due to a hidden administrative command. Es posible que un usuario malicioso no autenticado fuerce el reinicio del dispositivo debido a un comando administrativo oculto. • https://www.tenable.com/security/research/tra-2021-54 •
CVSS: 9.8EPSS: 80%CPEs: 2EXPL: 0CVE-2021-20158
https://notcve.org/view.php?id=CVE-2021-20158
30 Dec 2021 — Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicous actor to force the change of the admin password due to a hidden administrative command. Trendnet AC2600 TEW-827DRU versión 2.08B01, contiene una vulnerabilidad de omisión de autenticación. Es posible que un actor malicioso no autenticado fuerce el cambio de la contraseña de administrador debido a un comando administrativo oculto. • https://www.tenable.com/security/research/tra-2021-54 • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20156
https://notcve.org/view.php?id=CVE-2021-20156
30 Dec 2021 — Trendnet AC2600 TEW-827DRU version 2.08B01 contains an improper access control configuration that could allow for a malicious firmware update. It is possible to manually install firmware that may be malicious in nature as there does not appear to be any signature validation done to determine if it is from a known and trusted source. This includes firmware updates that are done via the automated "check for updates" in the admin interface. If an attacker is able to masquerade as the update server, the device ... • https://www.tenable.com/security/research/tra-2021-54 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 8.8EPSS: 6%CPEs: 2EXPL: 3CVE-2020-14076
https://notcve.org/view.php?id=CVE-2020-14076
15 Jun 2020 — TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buffer overflow in the ssi binary. The overflow allows an authenticated user to execute arbitrary code by POSTing to apply.cgi via the action st_dev_connect, st_dev_disconnect, or st_dev_rconnect with a sufficiently long wan_type key. Los dispositivos TRENDnet TEW-827DRU versiones hasta 2.06B04, contienen un desbordamiento de búfer en la región stack de la memoria en el binario ssi. El desbordamiento permite a un usuario autenticado ejecutar ... • https://github.com/kuc001/IoTFirmware/blob/master/Trendnet/TEW-827/TRENDnet-st_dev.pdf • CWE-787: Out-of-bounds Write •