CVE-2021-21916

Vulnerability

An exploitable SQL injection vulnerability exists in the group_list page of Advantech R-SeeNet version 2.4.15 (30.07.2021). The flaw is triggered via a specially-crafted HTTP request to the description_filter parameter. The root cause is improper use of prepared statements combined with SQL concatenation in stored procedures, where sanitized variables lose protection when invoked against the database [1].

Exploitation

An attacker can exploit this vulnerability by sending an authenticated HTTP request with malicious SQL in the description_filter parameter. The attacker may be any authenticated user, or the attack can be performed via cross-site request forgery (CSRF) if an authenticated user is tricked into visiting a malicious page [1]. No special privileges beyond basic authentication are required.

Impact

Successful exploitation allows an attacker to inject arbitrary SQL commands, leading to unauthorized reading of the underlying database. This can result in disclosure of sensitive information, such as router monitoring data and potentially credentials. The CVSSv3 score is 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability impact [1].

Mitigation

As of the publication date (2021-12-22), no patched version has been released by Advantech. Users should apply network segmentation and access controls to limit exposure, and avoid clicking untrusted links while authenticated to the R-SeeNet interface. Monitor for updates from Advantech regarding a fix [1].