CVE-2021-21891
Description
A stack-based buffer overflow vulnerability exists in the Web Manager FsBrowseClean functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to remote code execution in the vulnerable portion of the branch (deletefile). An attacker can make an authenticated HTTP request to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack-based buffer overflow in Lantronix PremierWave 2050 Web Manager's FsBrowseClean function allows authenticated remote code execution via crafted HTTP requests.
Vulnerability
A stack-based buffer overflow vulnerability exists in the FsBrowseClean functionality of the Lantronix PremierWave 2050 Web Manager application (ltrx_evo) in firmware version 8.9.0.0R4 (in QEMU) [1]. The flaw resides in two conditional calls to sprintf that copy user-controlled input into a fixed-size stack buffer without proper bounds checking. Depending on the action POST parameter (deletedir or deletefile), a different sprintf call is triggered, both of which are exploitable [1]. The function validates that the action, path, and dir parameters are non-empty and that the authenticated user has filesystem permissions before reaching the vulnerable code [1].
Exploitation
An attacker must have valid credentials to authenticate to the Web Manager and possess the filesystem permission level [1]. The attacker sends a specially crafted HTTP POST request to the FsBrowseClean handler with either a deletedir or deletefile action and provides a long string in the path parameter. The server's sprintf call then copies this long string into a fixed-size stack buffer, causing a stack-based buffer overflow [1]. The overflow corrupts the stack frame, allowing the attacker to control the program counter (PC) register. No user interaction beyond authentication is required [1].
Impact
Successful exploitation yields remote code execution (RCE) on the PremierWave 2050 device [1]. The attacker gains full control of the device with the privileges of the Web Manager process, which runs as root. This results in a complete compromise of confidentiality, integrity, and availability (CIA) of the device. The CVSSv3 score is 9.1 (Critical) [1].
Mitigation
As of the publication date (December 2021), no patched firmware version has been released by Lantronix [1]. Users should monitor the vendor's advisory page for updates. Until a fix is available, restrict network access to the Web Manager interface to trusted users only and follow the principle of least privilege for filesystem permissions [1]. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Lantronix/PremierWave 2050description
- Range: = 8.9.0.0R4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds validation on the user-supplied path parameter before an unchecked sprintf() copies it into a fixed-size stack buffer."
Attack vector
An authenticated attacker sends a crafted HTTP POST request to the device with `ajax=FsBrowseClean&action=deletefile` and an overly long `path` parameter (e.g., 9000 'M' characters). The `sprintf` at `0x55C24` copies the attacker-controlled path into a fixed 4120-byte stack buffer without bounds checking, causing a stack-based buffer overflow [ref_id=1]. The overflow corrupts saved registers and the return address, leading to remote code execution under the privileges of the web server process.
Affected code
The vulnerability resides in the `FsBrowseClean` handler of the Web Manager on Lantronix PremierWave 2050 (firmware 8.9.0.0R4). The `deletefile` branch at offset `0x55C00` performs an unchecked `sprintf` call that concatenates the hardcoded path `/ltrx_user` with the user-supplied `path` parameter into a stack buffer (`buff[4120]`) without any length validation [ref_id=1].
What the fix does
The advisory does not include a patch or remediation guidance beyond the vulnerability disclosure [ref_id=1]. To close the vulnerability, the `sprintf` call at `0x55C24` must be replaced with a bounded string copy (e.g., `snprintf`) that limits the total written length to the size of the stack buffer (4120 bytes), preventing overflow from an oversized `path` parameter.
Preconditions
- authAttacker must have valid credentials to authenticate to the web interface
- networkAttacker must be able to send HTTP POST requests to the device on the network
- inputThe request must include the parameters ajax=FsBrowseClean, action=deletefile, and an oversized path value
Reproduction
curl --user admin:PASS -d "ajax=FsBrowseClean&action=deletefile&dir=/&path=`python -c \"print('M'*9000)\"`" http://192.168.0.1/
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2021-1334mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.