CVE-2021-27856

CRITICAL EXPLOITED NUCLEI

FatPipe <10.1.2r60p91, 10.2.2r42 - Info Disclosure

Title source: llm

Description

FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 includes an account named "cmuser" that has administrative privileges and no password. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA002.

Nuclei Templates (1)

FatPipe WARP/IPVPN/MPVPN - Backdoor Account

CRITICALVERIFIEDby gy741

References (3)

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php

[Vendor Advisory] https://www.fatpipeinc.com/support/cve-list.php

[Third Party Advisory] https://www.zeroscience.mk/codes/fatpipe_backdoor.txt

Scores

CVSS v3 9.8

EPSS 0.4630

EPSS Percentile 97.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2023-05-05

Status published

Products (10)

fatpipeinc/ipvpn_firmware 5.2.0 r34

fatpipeinc/ipvpn_firmware 6.1.2 r70p26 (3 CPE variants)

fatpipeinc/ipvpn_firmware 7.1.2 r39

fatpipeinc/ipvpn_firmware 9.1.2 r129 (17 CPE variants)

fatpipeinc/ipvpn_firmware 10.1.2 r60p10 (11 CPE variants)

fatpipeinc/ipvpn_firmware 10.2.2 r10 (3 CPE variants)

fatpipeinc/mpvpn_firmware 5.2.0 r34

fatpipeinc/mpvpn_firmware 6.1.2 r70p26 (3 CPE variants)

fatpipeinc/mpvpn_firmware 7.1.2 r39

fatpipeinc/mpvpn_firmware 9.1.2 r129 (9 CPE variants)

Published Dec 15, 2021

Tracked Since Feb 18, 2026