CVE-2021-27215
CRITICALgenua genugate < 9.0 Z p19, 9.1.x-9.6.x < 9.6 p7, 10.x < 10.1 p4 - Unauthenticated Authentication Bypass
Title source: llmDescription
An issue was discovered in genua genugate before 9.0 Z p19, 9.1.x through 9.6.x before 9.6 p7, and 10.x before 10.1 p4. The Web Interfaces (Admin, Userweb, Sidechannel) can use different methods to perform the authentication of a user. A specific authentication method during login does not check the provided data (when a certain manipulation occurs) and returns OK for any authentication request. This allows an attacker to login to the admin panel as a user of his choice, e.g., the root user (with highest privileges) or even a non-existing user.
References (3)
Core 3
Core References
Product x_refsource_misc
https://www.genua.de/en/it-security-solutions/high-resistance-firewall-genugate
Patch, Vendor Advisory x_refsource_misc
https://kunde.genua.de/en/overview/genugate.html
Exploit, Third Party Advisory x_refsource_misc
https://sec-consult.com/vulnerability-lab/advisory/authentication-bypass-genua-genugate/
Scores
CVSS v3
9.8
EPSS
0.0235
EPSS Percentile
81.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-306
Status
published
Products (4)
genua/genuagate
9.0 (19 CPE variants)
genua/genuagate
9.6.0 (7 CPE variants)
genua/genuagate
10.1 (4 CPE variants)
genua/genuagate
< 9.0
Published
Mar 03, 2021
Tracked Since
Feb 18, 2026