CVE-2021-35978

CRITICAL

Digi TransPort DR64 SR44 VC74 WR - Remote Command Execution via ZING Protocol

Title source: llm

Description

An issue was discovered in Digi TransPort DR64, SR44 VC74, and WR. The ZING protocol allows arbitrary remote command execution with SUPER privileges. This allows an attacker (with knowledge of the protocol) to execute arbitrary code on the controller including overwriting firmware, adding/removing users, disabling the internal firewall, etc.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://digi.com

Third Party Advisory x_refsource_misc

https://raw.githubusercontent.com/reidmefirst/vuln-disclosure/main/2021-04.txt

Scores

CVSS v3 9.8

EPSS 0.0356

EPSS Percentile 87.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-77

Status published

Products (9)

digi/transport_dr64_firmware < 5.2.4.9

digi/transport_sr44_firmware

digi/transport_vc74_firmware < 5.2.4.9

digi/transport_wr11_firmware < 8.2.1.3

digi/transport_wr11_xt_firmware < 8.2.1.3

digi/transport_wr21_firmware < 8.2.1.3

digi/transport_wr31_firmware < 8.2.1.3

digi/transport_wr41_firmware 5.0.0.0 - 5.2.4.6

digi/transport_wr44_firmware < 8.3.1.2

Published Dec 10, 2021

Tracked Since Feb 18, 2026