CVE-2021-20164
Description
Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses credentials for the smb functionality of the device. Usernames and passwords for all smb users are revealed in plaintext on the smbserver.asp page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Trendnet AC2600 TEW-827DRU firmware 2.08B01 exposes SMB usernames and passwords in plaintext on the smbserver.asp page, allowing network attackers to obtain credentials.
Vulnerability
The Trendnet AC2600 TEW-827DRU router running firmware version 2.08B01 improperly discloses credentials for the SMB functionality. The smbserver.asp page reveals all configured SMB usernames and passwords in plaintext. No special configuration is required; the page is accessible to any authenticated user of the web interface.
Exploitation
An attacker must have network access to the router's web interface (LAN or potentially WAN if exposed) and valid authentication credentials. Alternatively, an authentication bypass such as CVE-2021-20150 could be used to gain access. Once authenticated, the attacker navigates to smbserver.asp and views the plaintext credentials for all SMB users.
Impact
Successful exploitation leads to the disclosure of SMB credentials. An attacker can then access SMB shares on the router or use the credentials for lateral movement within the network. The primary impact is a breach of confidentiality of stored credentials.
Mitigation
As of the publication date (2021-12-30), Trendnet has not released a firmware patch for this vulnerability. Users should restrict access to the web interface to trusted networks, disable SMB if not required, and monitor for future firmware updates. The issue is documented in the Tenable advisory [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Trendnet/AC2600 TEW-827DRUdescription
- Range: 2.08B01
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1- www.tenable.com/security/research/tra-2021-54mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.