CVE-2021-44207
Published: 21 December 2021
Summary
CVE-2021-44207 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Acclaimsystems Usaherds. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 7.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Deeper analysis
Acclaim USAHERDS versions through 7.4.0.1 contain hard-coded credentials, classified under CWE-798. This affects the USAHERDS application developed by Acclaim Systems and carries a CVSS 3.1 base score of 8.1, reflecting network attack vectors with high impact on confidentiality, integrity, and availability despite elevated attack complexity.
An unauthenticated remote attacker can leverage the embedded credentials to authenticate to the application and obtain full administrative control, enabling arbitrary data access, modification, or disruption of herd management operations without user interaction.
Mandiant's disclosure (MNDT-2021-0012) and the vendor site provide technical details on the issue, while CISA lists the vulnerability in its Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation and underscoring the need for affected organizations to apply available updates or configuration changes promptly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-31057
Vulnerability details
Acclaim USAHERDS through 7.4.0.1 uses hard-coded credentials.
- CWE(s)
- KEV Date Added
- 23 December 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prohibits embedding credentials in software or firmware, eliminating the static authenticators that enable unauthenticated admin access in this CVE.
Enforces that all access decisions require valid, non-hard-coded authentication and authorization, blocking the remote administrative bypass described.
Requires prompt installation of vendor patches that remove the hard-coded credentials, directly addressing the flaw listed in CISA KEV.