CVE-2021-36767

CRITICAL

Digi RealPort <4.10.490 - Info Disclosure

Title source: llm

Description

In Digi RealPort through 4.10.490, authentication relies on a challenge-response mechanism that gives access to the server password, making the protection ineffective. An attacker may send an unauthenticated request to the server. The server will reply with a weakly-hashed version of the server's access password. The attacker may then crack this hash offline in order to successfully login to the server.

References (1)

[Third Party Advisory] https://raw.githubusercontent.com/reidmefirst/vuln-disclosure/main/2021-02.txt

Scores

CVSS v3 9.8

EPSS 0.0033

EPSS Percentile 55.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-916

Status published

Affected Products (20)

digi/realport < 1.9-40

digi/realport < 4.10.490

digi/connectport_ts_8\/16_firmware

digi/connectport_lts_8\/16\/32_firmware

digi/passport_integrated_console_server_firmware

digi/cm_firmware

digi/portserver_ts_firmware

digi/portserver_ts_mei_firmware

digi/portserver_ts_mei_hardened_firmware

digi/portserver_ts_m_mei_firmware

digi/6350-sr_firmware

digi/portserver_ts_p_mei_firmware

digi/transport_wr11_xt_firmware

digi/one_ia_firmware

digi/wr31_firmware

... and 5 more

Timeline

Published Oct 08, 2021

Tracked Since Feb 18, 2026