CVE-2021-35978
Last modified
CVE-2021-35978 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. An issue was discovered in Digi TransPort DR64, SR44 VC74, and WR. The ZING protocol allows arbitrary remote command execution with SUPER privileges. EPSS estimates a 3.56% chance of exploitation in the next 30 days.
Description
An issue was discovered in Digi TransPort DR64, SR44 VC74, and WR. The ZING protocol allows arbitrary remote command execution with SUPER privileges. This allows an attacker (with knowledge of the protocol) to execute arbitrary code on the controller including overwriting firmware, adding/removing users, disabling the internal firewall, etc.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Digi | Transport Dr64 Firmware | <= 5.2.4.9 |
| Digi | Transport Sr44 Firmware | All versions |
| Digi | Transport Vc74 Firmware | <= 5.2.4.9 |
| Digi | Transport Wr11 Firmware | <= 8.2.1.3 |
| Digi | Transport Wr11 Xt Firmware | <= 8.2.1.3 |
| Digi | Transport Wr21 Firmware | <= 8.2.1.3 |
| Digi | Transport Wr31 Firmware | <= 8.2.1.3 |
| Digi | Transport Wr41 Firmware | >= 5.0.0.0, <= 5.2.4.6 |
| Digi | Transport Wr41 Firmware | >= 6.0.0.0, <= 6.1.3.5 |
| Digi | Transport Wr41 Firmware | >= 8.0.0.0, <= 8.3.1.2 |
| Digi | Transport Wr44 Firmware | <= 8.3.1.2 |
References
- https://digi.comVendor Advisory
- https://raw.githubusercontent.com/reidmefirst/vuln-disclosure/main/2021-04.txtThird Party Advisory
- https://digi.comVendor Advisory
- https://raw.githubusercontent.com/reidmefirst/vuln-disclosure/main/2021-04.txtThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-35978?
How severe is CVE-2021-35978?
How do I fix CVE-2021-35978?
Are you affected by CVE-2021-35978?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST