CVE-2021-21896
Description
A directory traversal vulnerability exists in the Web Manager FsBrowseClean functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to arbitrary file deletion. An attacker can make an authenticated HTTP request to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated directory traversal in Lantronix PremierWave 2050 Web Manager allows arbitrary file deletion via unsanitized 'path' parameter.
Vulnerability
The vulnerability exists in the Web Manager FsBrowseClean functionality of Lantronix PremierWave 2050 firmware version 8.9.0.0R4 (in QEMU). The feature allows authenticated users with filesystem privilege to delete files and directories within /ltrx_user/. However, the path HTTP POST parameter is not fully sanitized, enabling path traversal sequences (e.g., /../) to escape the restricted directory. This leads to arbitrary file deletion on the device. [1]
Exploitation
An attacker must have valid credentials with filesystem privilege to access the FsBrowseClean functionality. The attacker sends a crafted HTTP POST request to the Web Manager with parameters: ajax=FsBrowseClean, dir=/, path=/../, and action=deletefile. The path parameter includes path traversal primitives that bypass sanitization, allowing deletion of any file or directory on the system. The advisory provides a proof-of-concept using curl. [1]
Impact
Successful exploitation allows an authenticated attacker to delete arbitrary files and directories on the device, leading to a denial of service (availability impact) as critical system files may be removed. The CVSSv3 score is 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact but no confidentiality or integrity impact. [1]
Mitigation
As of the advisory publication (December 2021), no fix has been released by Lantronix. The affected version is PremierWave 2050 firmware 8.9.0.0R4. Users should restrict access to the Web Manager to trusted networks and limit the number of users with filesystem privilege. Monitor for any vendor updates or patches. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 8.9.0.0R4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the 'path' HTTP POST parameter allows path traversal primitives to bypass the intended /ltrx_user/ directory restriction."
Attack vector
An authenticated attacker with filesystem privilege sends a crafted HTTP POST request to the Web Manager's FsBrowseClean functionality [ref_id=1]. The 'path' parameter contains path traversal sequences (e.g., /../etc/delme.poc) that are not sanitized before being used to compose the final file path [ref_id=1]. The system only intended to allow file operations within the /ltrx_user/ subdirectory, but the insufficient sanitization lets the attacker escape that restriction and delete arbitrary files anywhere on the filesystem [CWE-22] [ref_id=1]. The attack is network-accessible and requires only valid authentication credentials with the filesystem privilege [ref_id=1].
Affected code
The vulnerability exists in the FsBrowseClean functionality of the PremierWave 2050 Web Manager [ref_id=1]. The specific code path processes the 'path' HTTP POST parameter without adequate sanitization before composing the final file path for deletion [ref_id=1]. The advisory does not identify specific function names or source files.
What the fix does
The advisory does not include a patch or specific remediation code [ref_id=1]. The recommended fix is to properly sanitize the 'path' HTTP POST parameter to reject or strip path traversal sequences (e.g., "../") before composing the final file path, ensuring all file operations remain confined to the /ltrx_user/ directory [ref_id=1]. Without such sanitization, an authenticated attacker can delete arbitrary files on the device.
Preconditions
- authAttacker must have valid authentication credentials with the filesystem privilege
- networkAttacker must have network access to the Web Manager interface
- inputAttacker must send a POST request with a crafted 'path' parameter containing path traversal sequences
Reproduction
curl --user admin:PASS -d "ajax=FsBrowseClean&dir=/&path=/../etc/delme.poc&action=deletefile" http://[IP]:[PORT]/
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2021-1338mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.