CVE-2021-22909
Published: 27 May 2021
Summary
CVE-2021-22909 is a high-severity Channel Accessible by Non-Endpoint (CWE-300) vulnerability in Ui Edgemax Edgerouter Firmware. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 29.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-10038
Vulnerability details
A vulnerability found in EdgeMAX EdgeRouter V2.0.9 and earlier could allow a malicious actor to execute a man-in-the-middle (MitM) attack during a firmware update. This vulnerability is fixed in EdgeMAX EdgeRouter V2.0.9-hotfix.1 and later.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ensures only authenticated endpoints can access the communication channel, blocking unauthorized non-endpoint access.
Physically restricts transmission channels so they cannot be accessed or tapped by non-endpoint actors within facilities.
Periodic TSCM surveys identify unauthorized access points or taps that make communication channels reachable by non-endpoint adversaries.
When certificates are used to establish component provenance, the control requires correct certificate validation procedures.
Explicitly isolates the communications path so it cannot be accessed or intercepted by non-endpoint entities during security functions.
Mandates approved trust anchors and issuance policies, directly preventing acceptance of unvalidated or untrusted certificates.
Restrictions and channel controls reduce the chance that VoIP media or signaling streams remain accessible to non-participants.
Directly prevents non-endpoint access or interception of the session communication path.