CVE-2021-41719

High

Published: 04 March 2025

Published

04 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0031 54.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-41719 is a high-severity Use of GET Request Method With Sensitive Query Strings (CWE-598) vulnerability in Cvewalkthrough (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked in the top 45.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-8 (Transmission Confidentiality and Integrity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Network Sniffing (T1040) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-8 Transmission Confidentiality and Integrity good match

prevent

Mandates cryptographic protection for the confidentiality and integrity of transmitted sensitive information such as usernames and passwords, directly preventing exposure through network traffic monitoring and mitigating risks in referrers and logs.

IA-5 Authenticator Management good match

prevent

Requires secure management and protection of authenticators like passwords against disclosure, prohibiting their transmission in insecure formats such as unencrypted GET requests.

AU-13 Monitoring for Information Disclosure partial match

detect

Monitors the system for unauthorized information disclosures, enabling identification of exposed credentials in browser history, referrers, web logs, or network artifacts.

MITRE ATT&CK Enterprise TechniquesAI

T1040 Network Sniffing Credential Access

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Vulnerability exposes credentials via GET requests in network traffic, server logs, and browser artifacts, directly enabling network sniffing (T1040) and access to unsecured credentials in files (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Maharashtra State Electricity Distribution Company Limited Mahavitran IOS Application 16.1 application till version 16.1 communicates using the GET method to process requests that contain sensitive information such as user account name and password, which can expose that information through the…

browser's history, referrers, web logs, and other sources.

Deeper analysisAI

CVE-2021-41719 is a sensitive information exposure vulnerability in the Maharashtra State Electricity Distribution Company Limited (MSEDCL) Mahavitran iOS Application up to version 16.1. The application processes requests containing sensitive data, such as user account names and passwords, using the GET method. This practice exposes the information through browser history, referrers, web logs, and other sources. It is associated with CWE-598 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Any unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. By monitoring network traffic, accessing server logs, or leveraging browser-related artifacts, they can capture transmitted credentials, enabling unauthorized access to affected user accounts and potential account takeover.

Mitigation details are available in the referenced advisory at https://cvewalkthrough.com/cve-2021-41719-mseb-ios-application-sensitive-information-exposure/.