CVE-2021-20159
Description
Trendnet AC2600 TEW-827DRU version 2.08B01 is vulnerable to command injection. The system log functionality of the firmware allows for command injection as root by supplying a malformed parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Trendnet AC2600 TEW-827DRU firmware 2.08B01 allows authenticated command injection in the system log function via a malformed parameter, leading to root compromise.
Vulnerability
A command injection vulnerability exists in the system log functionality of Trendnet AC2600 TEW-827DRU firmware version 2.08B01. By supplying a malformed parameter to the system log interface, an attacker can inject arbitrary commands. The vulnerability is present in the firmware and can be triggered by sending a specially crafted request to the affected endpoint. [1]
Exploitation
An attacker must have access to the router's web interface, typically requiring authentication. Once authenticated, the attacker sends a crafted request with a malformed parameter to the system log functionality. The command is then executed on the device with root privileges. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary commands as root on the device. This can lead to full compromise of the router, including data exfiltration, further network attacks, or persistent backdoor installation. [1]
Mitigation
As of the publication date (2021-12-30), no patched firmware version has been released by Trendnet. Users should consider disabling remote management and restricting access to the router's management interface to trusted networks only. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of writing. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Trendnet/AC2600 TEW-827DRUdescription
- Range: = 2.08B01
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-controllable input in the cameo.cameo.syslog_server parameter is passed unsanitized to a system() call, allowing shell command injection."
Attack vector
An attacker must first send a crafted POST request to /apply.cgi that corrupts the syslog configuration file and sets the cameo.cameo.syslog_server parameter to a value containing an injected command (e.g., `telnetd`). The device must then be rebooted. When the victim (or attacker) subsequently visits the syslog configuration page (adm_syslog.asp), the backend detects that syslogd is not running and executes a system() call using the attacker-controlled syslog_server parameter, running the injected command as root [ref_id=1]. The attack requires prior authentication (CVSS: PR:L) but no special privileges beyond a valid session.
Affected code
The vulnerability resides in the syslog configuration functionality of the Trendnet AC2600 TEW-827DRU firmware version 2.08B01. The backend server, when serving the syslog configuration page (adm_syslog.asp), checks if syslogd is running and if not, attempts to start it via a system() call that accepts user-controllable input from the cameo.cameo.syslog_server parameter [ref_id=1].
What the fix does
The advisory does not provide a patch or vendor fix details. The recommended remediation is to apply input validation or sanitization on the cameo.cameo.syslog_server parameter before passing it to a system() call, preventing shell metacharacters (such as semicolons) from being interpreted as command separators [ref_id=1]. No official firmware update is documented in the supplied bundle.
Preconditions
- authAttacker must have an authenticated session (CVSS PR:L) to the device's web interface.
- configThe syslog feature must be configured (it is enabled by default) and syslogd must not be running at the time the syslog config page is visited.
- networkAttacker must be able to send HTTP requests to the device on the local network (network access).
- inputAttacker supplies a malformed cameo.cameo.syslog_server parameter containing shell metacharacters and injected commands.
Reproduction
1. Send a POST request to /apply.cgi with the body: `ccp_act=set&html_response_return_page=adm_syslog.asp&action=tools_syslog&reboot_type=application&cameo.cameo.syslog_server=1%2F192.168.1.102:1234%3btelnetd%3b&cameo.log.enable=1&cameo.log.server=break_config&cameo.log.log_system_activity=1&cameo.log.log_attacks=1&cameo.log.log_notice=1&cameo.log.log_debug_information=1&1629923014463=1629923014463` [ref_id=1]. 2. Reboot the device. 3. Visit the syslog configuration page (adm_syslog.asp) to trigger the system() call, which executes the injected command (e.g., telnetd) as root [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2021-54mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.