CVE-2021-42165
Description
A command injection in MitraStar GPT-2541GNAC-N1 firmware 100VNZ0b33 allows authenticated users to escape a restricted shell and gain root access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A command injection in MitraStar GPT-2541GNAC-N1 firmware 100VNZ0b33 allows authenticated users to escape a restricted shell and gain root access.
Vulnerability
The MitraStar GPT-2541GNAC-N1 (HGU) running firmware BR_g3.5_100VNZ0b33 contains a command injection vulnerability in the deviceinfo show file command of the restricted CLI (Reduced_CLI_HGU_v15). The application does not properly sanitize the path parameter, allowing an attacker to inject arbitrary shell metacharacters. The issue affects the default restricted shell accessible via SSH. [1][2]
Exploitation
An attacker must have valid SSH credentials to the device (the default 'support' user credentials are often printed on the router label or use common default passwords). After logging in, the attacker is placed in the restricted CLI. By executing deviceinfo show file &&/bin/bash, the concatenation operator && causes the shell to spawn a full interactive BusyBox/ash console after the intended command. No additional user interaction is required. [1][2][3]
Impact
Successful exploitation provides the attacker with a root-level interactive shell, bypassing all command restrictions. This allows full read/write access to the filesystem, including modifying /etc/passwd (or /var/passwd), creating new user accounts, and permanently altering any system resource. The compromise results in complete loss of confidentiality, integrity, and availability of the device. [1][2]
Mitigation
As of the latest available references (May 2022), no firmware patch has been released by MitraStar to address this vulnerability. The device may be at end of life or unsupported. The only mitigation is to restrict SSH access to trusted networks only, disable the default 'support' account if not needed, and use strong, non-default credentials. This CVE is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. [1][2][3]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- MitraStar/GPT-2541GNAC-N1 HGUdescription
- Range: 100VNZ0b33
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Incorrect sanitization of the `path` parameter in the `deviceinfo show file` command allows shell metacharacter injection via `&&`."
Attack vector
An attacker who already has SSH access to the device (using the default "support" credentials printed on the router, or other default credentials) can exploit the `deviceinfo show file` command in the restricted shell. Because the command does not sanitize special characters in the `path` parameter, the attacker can inject a second command using `&&` as a command separator. By supplying `&&/bin/bash` as the path value, the restricted shell executes the injected command, spawning a full BusyBox/ash shell with root privileges [ref_id=1][ref_id=2].
Affected code
The restricted CLI command `deviceinfo show file
What the fix does
No patch is provided in the available references. The advisory [ref_id=1] identifies the root cause as incorrect sanitization of the `path` parameter in the `deviceinfo show file` command. To remediate this vulnerability, the vendor would need to implement proper input validation that rejects or escapes shell metacharacters (such as `&&`, `;`, `|`) in the path parameter, preventing command injection into the underlying shell.
Preconditions
- authAttacker must have valid SSH credentials for the device (the 'support' user credentials are printed on the back of the router, or default credentials are used)
- networkAttacker must have network access to the device's SSH service
- configThe device must be running firmware BR_g3.5_100VNZ0b33 (other versions not tested but may also be affected)
Reproduction
1. SSH into the MitraStar GPT-2541GNAC-N1 device using the default "support" credentials found on the back of the router. 2. At the restricted CLI prompt, execute: `deviceinfo show file &&/bin/bash` 3. A BusyBox/ash shell with root privileges is spawned [ref_id=1][ref_id=2].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/leoservalli/Privilege-escalation-MitraStar/blob/main/README.mdmitrex_refsource_MISC
- packetstormsecurity.com/files/164333/Mitrastar-GPT-2541GNAC-N1-Privilege-Escalation.htmlmitrex_refsource_MISC
- www.exploit-db.com/exploits/50351mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.