Vulnerability Description
In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fibaro | Home Center 2 Firmware | <= 4.600 |
| Fibaro | Home Center 2 | - |
| Fibaro | Home Center Lite Firmware | <= 4.600 |
| Fibaro | Home Center Lite | - |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-AuthExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2021/Apr/27Mailing ListThird Party Advisory
- https://www.iot-inspector.com/blog/advisory-fibaro-home-center/ExploitThird Party Advisory
- http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-AuthExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2021/Apr/27Mailing ListThird Party Advisory
- https://www.iot-inspector.com/blog/advisory-fibaro-home-center/ExploitThird Party Advisory
FAQ
What is CVE-2021-20990?
CVE-2021-20990 is a vulnerability with a CVSS score of 7.5 (HIGH). In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication...
How severe is CVE-2021-20990?
CVE-2021-20990 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-20990?
Check the references section above for vendor advisories and patch information. Affected products include: Fibaro Home Center 2 Firmware, Fibaro Home Center 2, Fibaro Home Center Lite Firmware, Fibaro Home Center Lite.