Cyber Resilience

CVE-2021-28209

Medium

Published: 06 April 2021

Published
06 April 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0030 53.7th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-28209 is a medium-severity Path Traversal (CWE-22) vulnerability in Asus Asmb9-Ikvm Firmware. Its CVSS base score is 4.9 (Medium).

Operationally, ranked in the top 46.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The specific function in ASUS BMC’s firmware Web management page (Delete video file function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can use the means of path traversal to access system files.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

asus
asmb9-ikvm firmware
1.11.12
asus
rs720a-e9-rs24-e firmware
1.10.3
asus
rs700a-e9-rs4 firmware
1.10.0
asus
rs700-e9-rs4 firmware
1.09
asus
esc4000 g4x firmware
1.11.6
asus
rs700-e9-rs12 firmware
1.11.5
asus
rs100-e10-pi2 firmware
1.13.6
asus
rs300-e10-ps4 firmware
1.13.6
asus
rs300-e10-rs4 firmware
1.13.6
asus
rs500a-e9-ps4 firmware
1.14.1
+34 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References