CVE-2021-20139

Name of the Vulnerable Software and Affected Versions: Gryphon Tower routers (affected versions not specified)

Description: An unauthenticated command injection issue exists in the parameters of operation 3 in the controller server service. An unauthenticated remote attacker on the same network can execute commands as root on the device by sending a specially crafted malicious packet to the controller server service on port 9999, specifically the "controller server" service.

Recommendations: As a temporary workaround, consider restricting access to the controller server service on port 9999 to minimize the risk of exploitation. Avoid using the vulnerable parameters in operation 3 of the controller server service until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.