CVE-2021-21884
Description
An OS command injection vulnerability exists in the Web Manager SslGenerateCSR functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated OS command injection in Lantronix PremierWave 2050 Web Manager SslGenerateCSR allows attackers to execute arbitrary commands with root privileges.
Vulnerability
An OS command injection vulnerability exists in the Web Manager SslGenerateCSR functionality of Lantronix PremierWave 2050 firmware version 8.9.0.0R4 [1]. The feature generates a Certificate Signing Request (CSR) by composing an openssl command using several unsanitized attacker-controlled HTTP POST parameters (c, s, l, o, ou, cn, keytype, bits, curve_bits). The crafted command is then executed with root privileges [1]. The vulnerable code path is reachable only when the authenticated user has write access to the ssl authorization group [1].
Exploitation
To exploit, an attacker must have a valid authenticated HTTP session with the web interface and the ssl group permission [1]. The attacker sends a specially-crafted HTTP POST request to the CSR generation endpoint, injecting shell metacharacters in one of the POST parameters (e.g., cn). The backend concatenates the unsanitized parameter into the openssl command string, which is then executed via a system call. No additional user interaction is required beyond the authenticated request [1].
Impact
Successful exploitation allows the attacker to execute arbitrary operating system commands as root on the device. This results in full compromise of the confidentiality, integrity, and availability of the device, including the ability to exfiltrate data, install backdoors, or pivot to other network resources [1]. The impact is heightened by the high privileges of the web service (root) and the exposure of the web interface on the network.
Mitigation
Lantronix has not released a firmware update that addresses this vulnerability as of the publication date [1]. The only available mitigation is to restrict access to the web management interface to trusted users and network segments, and to ensure that only authorized accounts have the ssl permission. Organizations should monitor Lantronix for an official patch and apply it as soon as it becomes available. This vulnerability is not currently listed in CISA’s Known Exploited Vulnerabilities Catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Lantronix/PremierWave 2050description
- Range: = 8.9.0.0R4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2021-1328mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.