CVE-2021-20163

Vulnerability

Trendnet AC2600 TEW-827DRU router firmware version 2.08B01 exposes FTP user credentials in plaintext on the ftpserver.asp page. This information disclosure occurs because the web management interface returns the FTP user list, including plaintext usernames and passwords, when the page is requested. No authentication or special privileges are required to access this page [1].

Exploitation

An unauthenticated attacker with network access to the router's management interface can browse to the ftpserver.asp page. Alternatively, the attacker can use an authentication bypass (CVE-2021-20150) by sending a crafted POST request to /apply_sec.cgi with action=setup_wizard_cancel and a redirect to client_status.asp, which then allows access to ftpserver.asp and reveals the FTP credentials in the response text [1].

Impact

Successful exploitation allows an attacker to obtain the plaintext credentials for all configured FTP users on the device. With these credentials, the attacker can log into the FTP service, potentially gaining access to files stored on the router's attached storage or using the FTP service as a pivot point for further network compromise. The confidentiality of stored data is compromised [1].

Mitigation

Trendnet has not released a patched firmware version as of the publication date (2021-12-30). Users should restrict access to the router's management interface to trusted local networks only, disable the FTP service if not required, and monitor for official firmware updates from Trendnet [1].