CVE-2021-27860
Published: 08 December 2021
Summary
CVE-2021-27860 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Fatpipeinc Ipvpn Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability CVE-2021-27860 is an unrestricted file upload flaw (CWE-434) in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1. It is tracked under FatPipe advisory FPSA006 and carries a CVSS 3.1 score of 9.8.
A remote unauthenticated attacker can exploit the issue over the network to upload a file to any location on the filesystem, enabling arbitrary code execution or full system compromise.
FatPipe's advisory and related notices from CISA and the FBI IC3 direct administrators to upgrade to the fixed releases listed above. The CVE is also cataloged in CISA's Known Exploited Vulnerabilities list, confirming observed in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-14598
Vulnerability details
A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1 allows a remote, unauthenticated attacker to upload a file to any location on the filesystem. The FatPipe advisory identifier for…
more
this vulnerability is FPSA006.
- CWE(s)
- KEV Date Added
- 10 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of file uploads to the web interface, blocking the unrestricted file-write primitive that enables arbitrary code execution.
Enforces access-control policy on the management interface so that only authorized subjects may perform file-upload operations.
Requires identification and authentication before any interaction with the web management interface, eliminating the unauthenticated attack vector.