Session Management Flaw in Trendnet AC2600 Router
CVE-2021-20151

10CRITICAL

Key Information:

Vendor: Trendnet
Status: Trendnet Ac2600 Tew-827dru
Vendor: CVE Published:; 30 December 2021

What is CVE-2021-20151?

The Trendnet AC2600 TEW-827DRU version 2.08B01 has a significant flaw in its session management system. This vulnerability arises from the device's reliance on IP address verification for managing web sessions, rather than employing a more robust authentication method involving client cookies or session tokens. As a result, an attacker could potentially hijack an active session by spoofing the original user's IP address, thereby gaining unauthorized access to the management interface of the router. This weakness poses substantial security risks, particularly if an attacker can execute this from a different machine or browser on the same network.

Affected Version(s)

Trendnet AC2600 TEW-827DRU 2.08B01

References

https://www.tenable.com/security/research/tra-2021-54

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 30, 2021
Vulnerability Reserved
Dec 17, 2020