CVE-2021-38412 — CRITICAL (9.6)

Vulnerability Description

Properly formatted POST requests to multiple resources on the HTTP and HTTPS web servers of the Digi PortServer TS 16 Rack device do not require authentication or authentication tokens. This vulnerability could allow an attacker to enable the SNMP service and manipulate the community strings to achieve further control in.

CVSS Score

9.6

CRITICAL

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Digi	Portserver Ts 16 Firmware	82000684
Digi	Portserver Ts 16	-

Related Weaknesses (CWE)

CWE-306 CWE-287

References

https://us-cert.cisa.gov/ics/advisories/icsa-21-257-01Third Party AdvisoryUS Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-21-257-01Third Party AdvisoryUS Government Resource

FAQ

What is CVE-2021-38412?

CVE-2021-38412 is a vulnerability with a CVSS score of 9.6 (CRITICAL). Properly formatted POST requests to multiple resources on the HTTP and HTTPS web servers of the Digi PortServer TS 16 Rack device do not require authentication or authentication tokens. This vulnerabi...

How severe is CVE-2021-38412?

CVE-2021-38412 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2021-38412?

Check the references section above for vendor advisories and patch information. Affected products include: Digi Portserver Ts 16 Firmware, Digi Portserver Ts 16.