// For flags

CVE-2021-28204

ASUS BMC's firmware: command injection - Modify user’s information function

Severity Score

7.2
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The specific function in ASUS BMC’s firmware Web management page (Modify user’s information function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can launch command injection to execute command arbitrary.

La función specific en la página de administración Web del firmware de ASUS BMC (Modifica la función de información del usuario) no filtra el parámetro specific. Como obtener el permiso de administrador, unos atacantes remotos pueden iniciar una inyección de comandos para ejecutar un comando arbitrario

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-03-12 CVE Reserved
  • 2021-04-06 CVE Published
  • 2023-03-07 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Asus
Search vendor "Asus"
Z10pr-d16 Firmware
Search vendor "Asus" for product "Z10pr-d16 Firmware"
1.14.51
Search vendor "Asus" for product "Z10pr-d16 Firmware" and version "1.14.51"
-
Affected
in Asus
Search vendor "Asus"
Z10pr-d16
Search vendor "Asus" for product "Z10pr-d16"
--
Safe
Asus
Search vendor "Asus"
Asmb8-ikvm Firmware
Search vendor "Asus" for product "Asmb8-ikvm Firmware"
1.14.51
Search vendor "Asus" for product "Asmb8-ikvm Firmware" and version "1.14.51"
-
Affected
in Asus
Search vendor "Asus"
Asmb8-ikvm
Search vendor "Asus" for product "Asmb8-ikvm"
--
Safe
Asus
Search vendor "Asus"
Z10pe-d16 Ws Firmware
Search vendor "Asus" for product "Z10pe-d16 Ws Firmware"
1.14.2
Search vendor "Asus" for product "Z10pe-d16 Ws Firmware" and version "1.14.2"
-
Affected
in Asus
Search vendor "Asus"
Z10pe-d16 Ws
Search vendor "Asus" for product "Z10pe-d16 Ws"
--
Safe