CVE-2021-28209

MEDIUM

ASUS BMC Firmware - Authenticated Path Traversal via Web Management Delete Video File Function

Title source: llm
STIX 2.1

Description

The specific function in ASUS BMC’s firmware Web management page (Delete video file function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can use the means of path traversal to access system files.

References (3)

Core 3
Core References
Vendor Advisory x_refsource_misc
https://www.asus.com/tw/support/callus/
Third Party Advisory x_refsource_misc
https://www.twcert.org.tw/tw/cp-132-4579-c8827-1.html

Scores

CVSS v3 4.9
EPSS 0.0030
EPSS Percentile 53.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-22
Status published
Products (44)
asus/asmb9-ikvm_firmware 1.11.12
asus/e700_g4_firmware 1.14.1
asus/esc4000_dhd_g4_firmware 1.13.7
asus/esc4000_g4_firmware 1.15.2
asus/esc4000_g4x_firmware 1.11.6
asus/esc8000_g4\/10g_firmware 1.15.4
asus/esc8000_g4_firmware 1.15.4
asus/knpa-u16_firmware 1.13.4
asus/pro_e800_g4_firmware 1.14.2
asus/rs100-e10-pi2_firmware 1.13.6
... and 34 more
Published Apr 06, 2021
Tracked Since Feb 18, 2026