CVE-2021-20156

Name of the Vulnerable Software and Affected Versions: Trendnet AC2600 TEW-827DRU version 2.08B01

Description: The issue is related to an improper access control configuration that could allow for a malicious firmware update. It is possible to manually install firmware that may be malicious in nature as there does not appear to be any signature validation done to determine if it is from a known and trusted source. This includes firmware updates that are done via the automated "check for updates" in the admin interface. If an attacker is able to masquerade as the update server, the device will not verify that the firmware updates downloaded are legitimate.

Recommendations: For Trendnet AC2600 TEW-827DRU version 2.08B01, as a temporary workaround, consider disabling the automated "check for updates" feature in the admin interface until a patch is available. Restrict access to the firmware update mechanism to minimize the risk of exploitation. Avoid using untrusted sources for firmware updates. At the moment, there is no information about a newer version that contains a fix for this issue.