CVE-2021-20854

Vulnerability

The affected products are ELECOM LAN routers WRH-733GBK firmware v1.02.9 and prior and WRH-733GWH firmware v1.02.9 and prior. The vulnerability is an OS command injection (CWE-78) as described in [1]. The issue allows a network-adjacent attacker with administrator privileges to execute arbitrary OS commands via unspecified vectors.

Exploitation

An attacker must be network-adjacent (on the same network segment) and must have obtained administrator credentials or gained administrative access to the router's management interface. No user interaction is required beyond the attacker's own privileged actions. The exact vector is not publicly detailed, but the command injection occurs in a component accessible to authenticated administrators [1].

Impact

Successful exploitation allows the attacker to execute arbitrary OS commands on the device. This could lead to full compromise of the router, including disclosure of sensitive information, modification of device configuration, or use of the device as a pivot point for further attacks. The CVSS v3 base score is 6.8 (AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impact [1].

Mitigation

ELECOM has released firmware updates: version v1.03.0 for both WRH-733GBK and WRH-733GWH. Users should update to the latest firmware. No workarounds are listed. The advisory was published November 30, 2021 [1].