CVE-2021-21892
Description
A stack-based buffer overflow vulnerability exists in the Web Manager FsUnmount functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack-based buffer overflow in Lantronix PremierWave 2050 Web Manager FsUnmount allows authenticated remote attackers to execute arbitrary code.
Vulnerability
A stack-based buffer overflow vulnerability exists in the Web Manager FsUnmount functionality of Lantronix PremierWave 2050 firmware version 8.9.0.0R4 (in QEMU). The vulnerability is triggered when the ltrx_evo application processes an HTTP request containing the FsUnmount ajax directive. The function responsible for handling this directive uses sprintf to copy a user-controlled path POST parameter into a fixed-size stack buffer without proper bounds checking, leading to a stack overflow [1]. The issue is classified as CWE-121 (Stack-based Buffer Overflow).
Exploitation
An attacker must have authenticated access to the Web Manager interface. No special permissions beyond those required for authentication are needed. The attacker sends a specially crafted HTTP POST request with the FsUnmount directive and an overly long path parameter. The malformed request causes a stack buffer overflow, allowing the attacker to overwrite the stack frame and control the program counter [1].
Impact
Successful exploitation allows an authenticated remote attacker to achieve arbitrary code execution on the device. The CVSSv3 score is 9.9 (Critical) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating full compromise of confidentiality, integrity, and availability [1].
Mitigation
As of the publication date (2021-12-22), a patch for firmware version 8.9.0.0R4 has not been disclosed in the available references. Users are advised to contact Lantronix for updated firmware. No workarounds are provided in the advisory [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 8.9.0.0R4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds validation on the attacker-controlled `path` POST parameter allows a stack buffer overflow via an unbounded `sprintf` call."
Attack vector
An authenticated attacker sends a crafted HTTP POST request to the Web Manager with the `ajax=FsUnmount` directive and an overly long `path` parameter. The `path` value is concatenated with the prefix `"/ltrx_user"` via `sprintf` into a 1032-byte stack buffer without bounds checking [ref_id=1]. This overwrites saved registers and the return address on the stack, giving the attacker control of the program counter and enabling remote code execution. The attacker needs only low-privilege authentication and no special permissions [ref_id=1].
Affected code
The vulnerable function resides in the Web Manager application `ltrx_evo` at address `0x000558B0`. The function handles the `FsUnmount` AJAX directive. It retrieves the attacker-controlled `path` POST parameter and passes it directly to a `sprintf` call that writes into a fixed-size stack buffer of 1032 bytes (`s` at `SP+0x1028`). No validation or length check is performed on the `path` value before the `sprintf` [ref_id=1].
What the fix does
The advisory does not include a patch or vendor fix. The recommended remediation is to validate and limit the length of the `path` POST parameter before it is used in the `sprintf` call, or to replace the unbounded `sprintf` with a bounded string copy function such as `snprintf` [ref_id=1]. No official fix has been published in the disclosed materials.
Preconditions
- authAttacker must have valid credentials (e.g., admin:PASS) to authenticate to the Web Manager.
- networkAttacker must be able to send HTTP POST requests to the target device over the network.
- inputThe `path` POST parameter must be supplied with a value exceeding the 1032-byte stack buffer capacity.
Reproduction
The advisory provides a proof-of-concept curl command: `curl --user admin:PASS -d "ajax=FsUnmount&dir=/&path=\`python -c "print('M'*9000)"\`" http://192.168.0.1/` [ref_id=1]. This sends an authenticated request with a 9000-byte `path` value, causing a stack buffer overflow and a segmentation fault with registers overwritten with `0x4d4d4d4d` ('M').
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2021-1335mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.