CVE-2021-28813
Published: 10 September 2021
Summary
CVE-2021-28813 is a critical-severity Use of Hard-coded Password (CWE-259) vulnerability in Qnap Qsw-M2116P-2T2S Firmware. Its CVSS base score is 9.6 (Critical).
Operationally, ranked in the top 40.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-15469
Vulnerability details
A vulnerability involving insecure storage of sensitive information has been reported to affect QSW-M2116P-2T2S and QNAP switches running QuNetSwitch. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism.We have already fixed this…
more
vulnerability in the following versions: QSW-M2116P-2T2S 1.0.6 build 210713 and later QGD-1600P: QuNetSwitch 1.0.6.1509 and later QGD-1602P: QuNetSwitch 1.0.6.1509 and later QGD-3014PT: QuNetSwitch 1.0.6.1519 and later
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Changing default authenticators prior to first use directly prevents use of hard-coded passwords.
Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.
Vetting reduces the chance a developer will deliberately insert hard-coded credentials as a backdoor or unauthorized access mechanism.
Requiring confidentiality/integrity protection for stored credentials directly mitigates insufficiently protected credentials on disk or in configuration stores.
Supplier risk reviews identify and discourage hard-coded credentials in delivered products or services.
Enables users to notice when hard-coded credentials have been exploited for unauthorized access.
Training instructs users on protecting credentials from disclosure or unauthorized access.
Security training explicitly warns against hard-coded credentials, lowering their use in systems.