CVE-2021-20153

Name of the Vulnerable Software and Affected Versions: Trendnet AC2600 TEW-827DRU version 2.08B01

Description: The bittorrent functionality in the affected device contains a symlink vulnerability. If enabled, this functionality is vulnerable to a symlink attack that could lead to remote code execution on the device. An attacker could exploit this by inserting a flash drive with a malicious symlink, allowing the bittorrent client to write downloads to arbitrary locations on the device's filesystem. Vulnerable directories include "config", "downloads", and "torrents", with "downloads" being the only vector that allows for arbitrary files to be downloaded to arbitrary locations.

Recommendations: For Trendnet AC2600 TEW-827DRU version 2.08B01, consider disabling the bittorrent functionality until a patch is available to prevent potential remote code execution. Restrict access to the vulnerable directories, such as "config", "downloads", and "torrents", to minimize the risk of exploitation. Avoid using the bittorrent client to download files to arbitrary locations on the device's filesystem. At the moment, there is no information about a newer version that contains a fix for this vulnerability.