CVE-2021-20160
Description
Trendnet AC2600 TEW-827DRU version 2.08B01 contains a command injection vulnerability in the smb functionality of the device. The username parameter used when configuring smb functionality for the device is vulnerable to command injection as root.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A command injection vulnerability in the SMB username field of the Trendnet AC2600 TEW-827DRU router allows an unauthenticated remote attacker to execute arbitrary commands as root.
Vulnerability
The Trendnet AC2600 TEW-827DRU router, firmware version 2.08B01, contains a command injection vulnerability in the SMB (Server Message Block) functionality [1]. The username parameter used when configuring SMB is not properly sanitized, allowing an attacker to inject arbitrary operating system commands. The SMB configuration is accessible via the web management interface at /apply_sec.cgi with the action parameter set to smb_setup [1]. The vulnerability exists because the username value is passed directly to a system command executed as root [1].
Exploitation
An attacker can exploit this vulnerability without authentication by sending a crafted HTTP POST request to the device's web interface [1]. The request must target the /apply_sec.cgi endpoint with the action=smb_setup parameter and a malicious smb_username value containing command injection payloads. The attacker needs network access to the router's management interface, which is typically exposed on the LAN side but may also be accessible from the WAN side via IPv6 due to improper firewall rules (CVE-2021-20149) [1]. No user interaction is required.
Impact
Successful exploitation allows the attacker to execute arbitrary operating system commands with root privileges on the affected device [1]. This can lead to full compromise of the router, including the ability to modify configuration, intercept network traffic, install persistent malware, and pivot to other devices on the network. The CVSS vector for this issue is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high impact on confidentiality, integrity, and availability [1].
Mitigation
As of the publication date (December 30, 2021), no patch or fixed firmware version has been released by Trendnet for this vulnerability [1]. Affected users are advised to limit network access to the router's management interface by ensuring it is not exposed to the internet (e.g., by using proper firewall rules for both IPv4 and IPv6) and to monitor vendor advisories for future updates [1]. The device may be at end-of-life; users should consider replacing it with a supported model if no patch becomes available.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Trendnet/AC2600 TEW-827DRUdescription
- Range: 2.08B01
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The system() call uses a user-controllable username parameter without sanitization, allowing command injection."
Attack vector
An attacker with authenticated access to the device's web interface can exploit the SMB configuration functionality. When the smb_admin_name parameter is submitted (e.g., via the smbserver.asp page), the backend executes system("deluser %s", smb_admin_name) [ref_id=1]. By injecting shell metacharacters into the username field, the attacker achieves command execution as root. The vulnerability is remotely exploitable over the network with low complexity, requiring only low-privileged authentication [ref_id=1].
Affected code
The vulnerability lies in the SMB configuration handler that executes system("deluser %s", smb_admin_name) [ref_id=1]. The advisory does not specify the exact file path or function name, but the system() call is triggered when modifying SMB settings via the device's web interface.
What the fix does
The advisory does not provide a patch or fixed firmware version [ref_id=1]. The remediation guidance is implicit: the vendor should sanitize or escape the smb_admin_name parameter before passing it to system(), or replace the system() call with a safer API that does not invoke a shell. Without a published fix, users are advised to restrict network access to the device's management interface and monitor for vendor updates.
Preconditions
- authAttacker must have authenticated access to the device's web interface (low-privileged credentials).
- networkAttacker must be able to reach the device's management web interface over the network.
- inputAttacker must submit a crafted username parameter containing shell metacharacters to the SMB configuration functionality.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2021-54mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.