Vulnerability Details CVE-2021-20138
An unauthenticated command injection vulnerability exists in multiple parameters in the Gryphon Tower router’s web interface at /cgi-bin/luci/rc. An unauthenticated remote attacker on the same network can execute commands as root on the device by sending a specially crafted malicious packet to the web interface.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.082
EPSS Ranking 91.8%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 8.3
References
Products affected by CVE-2021-20138
-
cpe:2.3:h:gryphonconnect:gryphon_tower:-
-
cpe:2.3:o:gryphonconnect:gryphon_tower_firmware:-
-
cpe:2.3:o:gryphonconnect:gryphon_tower_firmware:03.0002.74
-
cpe:2.3:o:gryphonconnect:gryphon_tower_firmware:03.002.56
-
cpe:2.3:o:gryphonconnect:gryphon_tower_firmware:04.0002.08
-
cpe:2.3:o:gryphonconnect:gryphon_tower_firmware:04.0002.20
-
cpe:2.3:o:gryphonconnect:gryphon_tower_firmware:04.0002.53
-
cpe:2.3:o:gryphonconnect:gryphon_tower_firmware:04.0002.92
-
cpe:2.3:o:gryphonconnect:gryphon_tower_firmware:04.0003.06
-
cpe:2.3:o:gryphonconnect:gryphon_tower_firmware:04.0003.25
-
cpe:2.3:o:gryphonconnect:gryphon_tower_firmware:04.0004.05
-
cpe:2.3:o:gryphonconnect:gryphon_tower_firmware:04.0004.12