Cyber Resilience

CVE-2021-20090

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 29 April 2021

Published
29 April 2021
Modified
03 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9440 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-20090 is a critical-severity Path Traversal (CWE-22) vulnerability in Buffalo Wsr-2533Dhpl2-Bk Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A path traversal vulnerability tracked as CVE-2021-20090 affects the web interfaces of Buffalo WSR-2533DHPL2 firmware versions 1.02 and earlier, as well as WSR-2533DHP3 firmware versions 1.24 and earlier. The issue, assigned CWE-22, resides in the devices' HTTP handling logic and permits directory traversal sequences that circumvent built-in authentication checks.

Unauthenticated attackers can reach the flaw remotely over the network with no credentials or user interaction required. Exploitation yields complete control over the router, allowing arbitrary file access, configuration changes, and full compromise of confidentiality, integrity, and availability, consistent with the CVSS 9.8 rating.

Public references, including CERT and SecPod advisories, note that Arcadyan-based routers and modems sharing this firmware lineage are under active exploitation in the wild. The listed sources do not detail specific patches or workarounds, but emphasize the need for immediate firmware updates from Buffalo once available.

EU & UK References

Vulnerability details

A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

buffalo
wsr-2533dhpl2-bk firmware
≤ 1.02
buffalo
wsr-2533dhp3-bk firmware
≤ 1.24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the directory-traversal sequences (CWE-22) that the unauthenticated attacker sends to the web interface to bypass authentication checks.

prevent

Enforces authentication and authorization decisions on every HTTP request so that path-traversal attempts cannot reach protected resources or configuration files.

preventrecover

Requires prompt application of firmware patches that eliminate the path-traversal flaw in the Buffalo WSR-2533 web interface.

References