CVE-2021-26728
CRITICALLanner Inc IAC-AST2500A Firmware 1.10.0 - Stack-Based Buffer Overflow and Command Injection in KillDupUsr_func
Title source: llmDescription
Command injection and stack-based buffer overflow vulnerabilities in the KillDupUsr_func function of spx_restservice allow an attacker to execute arbitrary code with the same privileges as the server user (root). This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.
References (2)
Core 2
Core References
Third Party Advisory
https://www.nozominetworks.com/blog/vulnerabilities-in-bmc-firmware-affect-ot-iot-device-security-part-1/
Third Party Advisory
https://www.nozominetworks.com/labs/vulnerability-advisories/cve-2021-26728/
Scores
CVSS v3
10.0
EPSS
0.0228
EPSS Percentile
81.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-121
CWE-77
CWE-787
CWE-94
Status
published
Products (1)
lannerinc/iac-ast2500a_firmware
1.10.0
Published
Oct 24, 2022
Tracked Since
Feb 18, 2026