CVE-2021-20152
Description
Trendnet AC2600 TEW-827DRU version 2.08B01 lacks proper authentication to the bittorrent functionality. If enabled, anyone is able to visit and modify settings and files via the Bittorent web client by visiting: http://192.168.10.1:9091/transmission/web/
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Trendnet AC2600 TEW-827DRU router lacks authentication for its bittorrent web client, allowing unauthenticated remote access to settings and files.
Vulnerability
The Trendnet AC2600 TEW-827DRU router running firmware version 2.08B01 lacks proper authentication for the bittorrent functionality. When enabled, the Transmission web client is accessible without any credentials at http://192.168.10.1:9091/transmission/web/ [1]. This allows any network user to interact with the bittorrent interface.
Exploitation
An attacker only needs network access to the router's IP address on port 9091. No authentication or user interaction is required. By simply navigating to the Transmission web client URL, the attacker gains full access to the bittorrent interface [1].
Impact
An unauthenticated attacker can view and modify bittorrent settings, as well as download, upload, or delete files managed by the bittorrent client. This leads to unauthorized information disclosure and potential integrity compromise of stored data [1].
Mitigation
As of the publication date, no firmware fix has been disclosed in the available references. Users should disable the bittorrent functionality if not needed, or restrict network access to port 9091 via firewall rules to trusted hosts only [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Trendnet/AC2600 TEW-827DRUdescription
- Range: = 2.08B01
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The bittorrent web client (Transmission) is exposed without any authentication check, allowing unauthenticated access to settings and files."
Attack vector
An attacker on the local network can access the bittorrent web client by navigating to `http://192.168.10.1:9091/transmission/web/` without any authentication [ref_id=1]. The bittorrent functionality must be enabled on the device for this attack path to be available. Once connected, the attacker can view and modify settings as well as read and write files managed by the bittorrent client [ref_id=1].
Affected code
The bittorrent functionality on the Trendnet AC2600 TEW-827DRU (version 2.08B01) runs a Transmission web client at port 9091. The advisory does not specify a particular source file or function, but the vulnerable endpoint is the Transmission web interface at `/transmission/web/` [ref_id=1].
What the fix does
The advisory does not include a patch or vendor fix description [ref_id=1]. The recommended remediation is to ensure the bittorrent web client enforces proper authentication before allowing access to its settings and files. Without a fix, users should disable the bittorrent functionality if it is not needed, or restrict network access to port 9091 to trusted hosts only.
Preconditions
- configThe bittorrent functionality must be enabled on the device.
- networkThe attacker must have network access to the device on port 9091 (typically local network).
Reproduction
With the bittorrent functionality enabled on the TEW-827DRU, visit `http://192.168.10.1:9091/transmission/web/` in a web browser. The Transmission web interface will load without prompting for any credentials, allowing full access to settings and files [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2021-54mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.