CVE-2021-20138

Name of the Vulnerable Software and Affected Versions: Gryphon Tower router (affected versions not specified)

Description: An unauthenticated command injection issue exists in the Gryphon Tower router’s web interface at "/cgi-bin/luci/rc". This allows an unauthenticated remote attacker on the same network to execute commands as root on the device by sending a specially crafted malicious packet to the web interface. The issue is related to multiple parameters.

Recommendations: As a temporary workaround, consider restricting access to the "/cgi-bin/luci/rc" endpoint until a patch is available. Avoid using the vulnerable parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.