CVE-2021-21872

Vulnerability

An OS command injection vulnerability exists in the Web Manager Diagnostics: Traceroute functionality of Lantronix PremierWave 2050 firmware version 8.9.0.0R4 [1]. The protocol HTTP POST parameter is unsanitized and directly injected into a traceroute system command executed with root privileges, allowing an authenticated attacker to inject arbitrary OS commands [1].

Exploitation

An attacker with valid authentication credentials sends a specially-crafted HTTP POST request to the Diagnostics: Traceroute endpoint, with a protocol value containing command injection payloads (e.g., via shell metacharacters) [1]. The application fails to validate that the protocol parameter is one of the expected values (udp, tcp, icmp) and passes it directly to the command string, leading to arbitrary command execution as root [1].

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary OS commands with root privileges on the device [1]. This results in full compromise of the PremierWave 2050, including disclosure, modification, or destruction of sensitive data, and potential use as a pivot point within the network. The vulnerability is rated CVSSv3 9.9 (Critical), with network attack vector, low attack complexity, and changed scope [1].

Mitigation

As of the available reference [1], Lantronix has not released a patched firmware version for PremierWave 2050. The vendor should be contacted for a fix or mitigation guidance. If the device cannot be updated, restrict authenticated access to the web manager interface to trusted users only and monitor for suspicious requests. The vulnerability is not currently listed on CISA’s Known Exploited Vulnerabilities catalog.