CVE-2021-21889
Description
A stack-based buffer overflow vulnerability exists in the Web Manager Ping functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in Lantronix PremierWave 2050 Web Manager Ping function allows authenticated remote code execution.
Vulnerability
A stack-based buffer overflow vulnerability exists in the Ping functionality of the Web Manager application (ltrx_evo) on Lantronix PremierWave 2050 version 8.9.0.0R4. The vulnerable function uses sprintf with a fixed-size stack buffer and a user-controlled input from the "host" POST parameter, leading to a stack overflow [1].
Exploitation
An attacker must be authenticated to the Web Manager with no special privileges. By sending a specially crafted HTTP request with an overly long "host" parameter, the attacker can overflow the stack buffer and overwrite the return address, gaining control of the program counter [1].
Impact
Successful exploitation results in remote code execution with root privileges, as the Web Manager runs with elevated permissions. This allows full compromise of the device [1].
Mitigation
As of the advisory publication date (2021-12-22), no fixed version was disclosed. Users should restrict network access to the Web Manager interface and apply strict access controls to mitigate the risk [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Lantronix/PremierWave 2050description
- Range: = 8.9.0.0R4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Unbounded `sprintf` call with a user-controlled source string into a fixed-size stack buffer, allowing stack-based buffer overflow."
Attack vector
An authenticated attacker sends a crafted HTTP POST request to the Ping functionality with a `host` parameter that begins with `"fe80:"` (to pass IPv6 link-local checks), does not contain `%` or null bytes, and is sufficiently long (e.g., 2048+ bytes). The `sprintf` call at [8] then overflows the stack buffer `cmd`, corrupting the saved return address and adjacent stack data, leading to remote code execution [ref_id=1].
Affected code
The vulnerability resides in the `handler_Ping` function within the `ltrx_evo` Web Manager application. The function extracts the `host` POST parameter and passes it to a `sprintf` call that writes into a fixed-size stack buffer `cmd` (267 bytes) without length checking [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory recommends that users apply the vendor's fix when it becomes available; as of the disclosure timeline, the vendor requested a release push to mid-November 2021 [ref_id=1]. The remediation would involve replacing the unbounded `sprintf` with a bounded string copy or using `snprintf` to prevent overflow of the 267-byte `cmd` buffer.
Preconditions
- authAttacker must have valid credentials to authenticate to the Web Manager
- networkAttacker must be able to send HTTP POST requests to the Ping endpoint
- inputThe host parameter must start with 'fe80:', contain no '%' or null bytes, and be longer than the cmd buffer
Reproduction
curl --user user:user -d "ajax=Ping&submit=Ping&timeout=5&count=3&host=`python -c "print('fe80:' + 'M'*2048)"`" http://192.168.0.1/ [ref_id=1]
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2021-1333mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.