CVE-2021-27859

HIGH

FatPipe WARP, IPVPN, and MPVPN < 10.1.2r60p91 and < 10.2.2r42 - Authenticated Privilege Escalation via Account Creation

Title source: llm
STIX 2.1

Description

A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows an authenticated, remote attacker with read-only privileges to create an account with administrative privileges. Older versions of FatPipe software may also be vulnerable. This does not appear to be a CSRF vulnerability. The FatPipe advisory identifier for this vulnerability is FPSA005.

References (3)

Core 3
Core References
Vendor Advisory x_refsource_confirm
https://www.fatpipeinc.com/support/cve-list.php
Third Party Advisory x_refsource_misc
https://www.zeroscience.mk/codes/fatpipe_csrf.txt

Scores

CVSS v3 8.8
EPSS 0.0162
EPSS Percentile 73.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-862
Status published
Products (10)
fatpipeinc/ipvpn_firmware 5.2.0 r34
fatpipeinc/ipvpn_firmware 6.1.2 r70p26 (3 CPE variants)
fatpipeinc/ipvpn_firmware 7.1.2 r39
fatpipeinc/ipvpn_firmware 9.1.2 r129 (17 CPE variants)
fatpipeinc/ipvpn_firmware 10.1.2 r60p10 (11 CPE variants)
fatpipeinc/ipvpn_firmware 10.2.2 r10 (3 CPE variants)
fatpipeinc/mpvpn_firmware 5.2.0 r34
fatpipeinc/mpvpn_firmware 6.1.2 r70p26 (3 CPE variants)
fatpipeinc/mpvpn_firmware 7.1.2 r39
fatpipeinc/mpvpn_firmware 9.1.2 r129 (9 CPE variants)
Published Dec 15, 2021
Tracked Since Feb 18, 2026