CVE-2021-21890
Description
A stack-based buffer overflow vulnerability exists in the Web Manager FsBrowseClean functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to remote code execution in the vulnerable portion of the branch (deletedir). An attacker can make an authenticated HTTP request to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in Lantronix PremierWave 2050 Web Manager allows authenticated remote code execution via crafted HTTP request.
Vulnerability
A stack-based buffer overflow vulnerability exists in the FsBrowseClean functionality of the Lantronix PremierWave 2050 Web Manager application (ltrx_evo) in firmware version 8.9.0.0R4. The vulnerability is triggered when the action POST parameter is set to deletedir (or deletefile), causing a call to sprintf with a fixed-size stack buffer and a user-controlled source string. The affected code path is reachable only for authenticated users with filesystem permissions [1].
Exploitation
An attacker must first authenticate to the Web Manager and have the filesystem permission. The attacker then sends a crafted HTTP POST request to the FsBrowseClean AJAX endpoint with the action parameter set to deletedir and a long, specially crafted dir or path parameter. This overflows a fixed-size stack buffer, corrupting the stack frame and allowing the attacker to control the program counter [1].
Impact
Successful exploitation allows an authenticated attacker to achieve remote code execution on the device. The CVSSv3 score is 9.1 (Critical) with a scope change, indicating the attacker can compromise the entire system from the web interface [1].
Mitigation
As of the publication date (2021-12-22), no firmware update has been released to address this vulnerability. Users should restrict network access to the Web Manager interface to trusted hosts, enforce strong authentication, and monitor for suspicious activity. If possible, disable the Web Manager service if not required [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Lantronix/PremierWave 2050description
- Range: = 8.9.0.0R4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing length validation on the attacker-controlled `path` parameter before an unchecked `sprintf` copies it into a fixed-size stack buffer."
Attack vector
An authenticated attacker sends a crafted HTTP POST request to the `FsBrowseClean` endpoint with `action=deletedir` and an overly long `path` parameter [ref_id=1]. The `sprintf` call at [6a] copies the attacker-supplied `path` into a fixed 4120-byte stack buffer without bounds checking, overflowing adjacent stack memory [ref_id=1]. This can overwrite the return address and other critical data, leading to remote code execution under the privileges of the web server process [ref_id=1]. The attacker must have valid credentials for the device's web interface.
Affected code
The vulnerability resides in the `sub_559A8` function within the Web Manager's `FsBrowseClean` handler. The function retrieves the `action` and `path` POST parameters, and when `action` equals `"deletedir"`, it calls `sprintf(buff, "%s%s", "/ltrx_user", path)` without any length check on `path` [ref_id=1]. The stack buffer `buff` is 4120 bytes, but the attacker-controlled `path` can be much larger, leading to a stack-based buffer overflow [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the root cause is clear: the `sprintf` call at [6a] uses the unchecked format string `"%s%s"` to concatenate the fixed prefix `"/ltrx_user"` with the attacker-controlled `path` into a stack buffer of only 4120 bytes [ref_id=1]. To fix this vulnerability, the developer must either (a) replace `sprintf` with a bounded function such as `snprintf` that limits the total output to the buffer size, or (b) validate the length of `path` before the copy and reject requests where the concatenated path would exceed the buffer capacity [ref_id=1].
Preconditions
- authAttacker must have valid credentials for the Lantronix PremierWave 2050 web interface
- networkThe device must be reachable over the network via HTTP
- inputThe attacker supplies a 'path' POST parameter longer than approximately 4100 bytes to overflow the 4120-byte stack buffer
Reproduction
The following curl command reproduces the overflow on an authenticated device [ref_id=1]:
`curl --user admin:PASS -d "ajax=FsBrowseClean&action=deletedir&dir=/&path=$(python -c "print('M'*9000)")" http://192.168.0.1/`
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2021-1334mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.