CVE-2021-28207

Name: CVE-2021-28207
Creator: NVD / NIST
Published: 2021-04-06T05:15:17.333+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 4.9/10EPSS 1.90%

Last modified Jun 17, 2026

CVE-2021-28207 is a medium-severity vulnerability rated 4.9/10 on the CVSS scale. The specific function in ASUS BMC’s firmware Web management page (Get Help file function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can use the means of path traversal to access system files.. EPSS estimates a 1.90% chance of exploitation in the next 30 days.

Description

The specific function in ASUS BMC’s firmware Web management page (Get Help file function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can use the means of path traversal to access system files.

Metrics

CVSS 3.1

4.9/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

1.90%

77.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Asus	Asmb9-Ikvm Firmware	1.11.12
Asus	Rs720a-E9-Rs24-E Firmware	1.10.3
Asus	Rs700a-E9-Rs4 Firmware	1.10.0
Asus	Rs700-E9-Rs4 Firmware	1.09
Asus	Esc4000 G4x Firmware	1.11.6
Asus	Rs700-E9-Rs12 Firmware	1.11.5
Asus	Rs100-E10-Pi2 Firmware	1.13.6
Asus	Rs300-E10-Ps4 Firmware	1.13.6
Asus	Rs300-E10-Rs4 Firmware	1.13.6
Asus	Rs500a-E9-Ps4 Firmware	1.14.1
Asus	Rs500a-E9-Rs4 Firmware	1.14.1
Asus	Rs500a-E9 Rs4 U Firmware	1.14.1
Asus	E700 G4 Firmware	1.14.1
Asus	Ws C422 Pro\/Se Firmware	1.14.1
Asus	Ws X299 Pro\/Se Firmware	1.14.1
Asus	Z11pa-U12 Firmware	1.15.1
Asus	Z11pa-U12\/10g-2s Firmware	1.15.1
Asus	Knpa-U16 Firmware	1.13.4
Asus	Esc4000 Dhd G4 Firmware	1.13.7
Asus	Esc4000 G4 Firmware	1.15.2
Asus	Rs720q-E9-Rs24-S Firmware	1.15.0
Asus	Rs720q-E9-Rs8 Firmware	1.15.0
Asus	Rs720q-E9-Rs8-S Firmware	1.15.0
Asus	Z11pa-D8 Firmware	1.14.1
Asus	Z11pa-D8c Firmware	1.14.1
Asus	Rs720-E9-Rs24-U Firmware	1.14.3
Asus	Rs720-E9-Rs8-G Firmware	1.15.2
Asus	Rs500-E9-Ps4 Firmware	1.15.4
Asus	Pro E800 G4 Firmware	1.14.2
Asus	Rs500-E9-Rs4 Firmware	1.15.4
Asus	Rs500-E9-Rs4-U Firmware	1.15.4
Asus	Rs520-E9-Rs12-E Firmware	1.15.3
Asus	Rs520-E9-Rs8 Firmware	1.15.3
Asus	Esc8000 G4 Firmware	1.15.4
Asus	Esc8000 G4\/10g Firmware	1.15.4
Asus	Rs720-E9-Rs12-E Firmware	1.15.2
Asus	Ws C621e Sage Firmware	1.15.1
Asus	Rs500a-E10-Ps4 Firmware	1.15.2
Asus	Rs500a-E10-Rs4 Firmware	1.15.2
Asus	Rs700a-E9-Rs12v2 Firmware	1.15.1
Asus	Rs700a-E9-Rs4v2 Firmware	1.15.1
Asus	Rs720a-E9-Rs12v2 Firmware	1.15.2
Asus	Rs720a-E9-Rs24v2 Firmware	1.15.1
Asus	Z11pr-D16 Firmware	1.15.3

References

https://www.asus.com/content/ASUS-Product-Security-Advisory/Vendor Advisory
https://www.asus.com/tw/support/callus/Vendor Advisory
https://www.twcert.org.tw/tw/cp-132-4577-60153-1.htmlThird Party Advisory
https://www.asus.com/content/ASUS-Product-Security-Advisory/Vendor Advisory
https://www.asus.com/tw/support/callus/Vendor Advisory
https://www.twcert.org.tw/tw/cp-132-4577-60153-1.htmlThird Party Advisory

Timeline

Published: Apr 6, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-28207?

How severe is CVE-2021-28207?

CVE-2021-28207 has a CVSS score of 4.9/10 (MEDIUM severity). The EPSS model estimates a 1.90% probability of exploitation in the next 30 days.

How do I fix CVE-2021-28207?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-28207?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST