VYPR
← All advisories
High severityNVD Advisory· Published Aug 24, 2021· Updated Aug 4, 2024

CVE-2021-38557

CVE-2021-38557

Description

raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

RaspAP 2.6.6 allows www-data to overwrite a sudoers-allowed script and execute arbitrary commands as root.

Vulnerability

RaspAP 2.6.6 configures insecure sudoers permissions allowing the www-data user to execute /etc/raspap/hostapd/enablelog.sh as root without a password. Additionally, www-data can overwrite this script with arbitrary content [1][2][3].

Exploitation

An attacker with access to the web interface (www-data) can replace /etc/raspap/hostapd/enablelog.sh with a malicious script, then trigger execution via sudo, achieving root command execution [2].

Impact

Successful exploitation grants an attacker root-level command execution on the affected system, leading to full compromise of the device [2].

Mitigation

The vulnerability is fixed in RaspAP versions after 2.6.6. Users should update to the latest version. No workaround is available if the script is writable [1][2].

References
  1. GitHub - RaspAP/raspap-webgui: The easiest, full-featured wireless router setup for Debian-based devices. Period.
  2. NVD - CVE-2021-38557
  3. raspap-webgui/installers/raspap.sudoers at fabc48c7daae4013b9888f266332e510b196a062 · RaspAP/raspap-webgui

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
billz/raspap-webguiPackagist
<= 2.6.6

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.