Cyber Resilience

CVE-2021-28813

Critical

Published: 10 September 2021

Published
10 September 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
EPSS Score 0.0037 59.5th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-28813 is a critical-severity Use of Hard-coded Password (CWE-259) vulnerability in Qnap Qsw-M2116P-2T2S Firmware. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 40.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A vulnerability involving insecure storage of sensitive information has been reported to affect QSW-M2116P-2T2S and QNAP switches running QuNetSwitch. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism.We have already fixed this…

more

vulnerability in the following versions: QSW-M2116P-2T2S 1.0.6 build 210713 and later QGD-1600P: QuNetSwitch 1.0.6.1509 and later QGD-1602P: QuNetSwitch 1.0.6.1509 and later QGD-3014PT: QuNetSwitch 1.0.6.1519 and later

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qnap
qsw-m2116p-2t2s firmware
≤ 1.0.6
qnap
qunetswitch
≤ 1.0.6.1509

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

Changing default authenticators prior to first use directly prevents use of hard-coded passwords.

addresses: CWE-798 CWE-259

Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.

addresses: CWE-798 CWE-259

Vetting reduces the chance a developer will deliberately insert hard-coded credentials as a backdoor or unauthorized access mechanism.

addresses: CWE-522 CWE-922

Requiring confidentiality/integrity protection for stored credentials directly mitigates insufficiently protected credentials on disk or in configuration stores.

addresses: CWE-798 CWE-259

Supplier risk reviews identify and discourage hard-coded credentials in delivered products or services.

addresses: CWE-798

Enables users to notice when hard-coded credentials have been exploited for unauthorized access.

addresses: CWE-522

Training instructs users on protecting credentials from disclosure or unauthorized access.

addresses: CWE-798

Security training explicitly warns against hard-coded credentials, lowering their use in systems.

References