CVE-2021-27289

CRITICAL

Ksix Zigbee Smart Home Kit <1.0.3 <1.0.7 - Replay Attack via Frame Counter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-27289. PoCs published by Alejandro Vazquez Vazquez, TheMalwareGuardian.

AI-analyzed exploit summary This script exploits a sequence number validation flaw in Ksix Zigbee devices by forging packets with high sequence numbers to bypass playback protection. It modifies captured Zigbee traffic and replays it to trigger actions like opening doors or turning on lights.

Description

A replay attack vulnerability was discovered in a Zigbee smart home kit manufactured by Ksix (Zigbee Gateway Module = v1.0.3, Door Sensor = v1.0.7, Motion Sensor = v1.0.12), where the Zigbee anti-replay mechanism - based on the frame counter field - is improperly implemented. As a result, an attacker within wireless range can resend captured packets with a higher sequence number, which the devices incorrectly accept as legitimate messages. This allows spoofed commands to be injected without authentication, triggering false alerts and misleading the user through notifications in the mobile application used to monitor the network.

Exploits (2)

exploitdb WORKING POC
by Alejandro Vazquez Vazquez · bashremotemultiple
https://www.exploit-db.com/exploits/49169

This script exploits a sequence number validation flaw in Ksix Zigbee devices by forging packets with high sequence numbers to bypass playback protection. It modifies captured Zigbee traffic and replays it to trigger actions like opening doors or turning on lights.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Ksix Zigbee Gateway (v1.0.3), Main Module (v1.1.2), Door Sensor (v1.0.7), PIR Motion Sensor (v1.0.12)
No auth needed
Prerequisites: Zigbee traffic capture (e.g., Api-Mote) · Wireshark for packet analysis · Killerbee or similar tool for packet replay
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by TheMalwareGuardian · poc
https://github.com/TheMalwareGuardian/CVE-2021-27289

This repository contains a proof-of-concept exploit for CVE-2021-27289, which targets a replay protection bypass vulnerability in Ksix Zigbee devices. The exploit manipulates the sequence number in captured Zigbee packets to spoof events, demonstrated through attack scenarios like user deception and notification flooding.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Ksix Zigbee Devices (Gateway Zigbee Module v1.0.3, Gateway Main Module v1.1.2, Door Sensor v1.0.7, PIR Motion Sensor v1.0.12)
No auth needed
Prerequisites: Zigbee traffic capture tool (e.g., Api-Mote) · Wireshark for packet analysis · Killerbee for packet injection · Physical proximity to the Zigbee network
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 9.1
EPSS 0.0075
EPSS Percentile 49.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-294
Status published
Published Apr 15, 2025
Tracked Since Feb 18, 2026