CVE-2021-36767

CRITICAL

Digi RealPort <4.10.490 - Info Disclosure

Title source: llm

Description

In Digi RealPort through 4.10.490, authentication relies on a challenge-response mechanism that gives access to the server password, making the protection ineffective. An attacker may send an unauthenticated request to the server. The server will reply with a weakly-hashed version of the server's access password. The attacker may then crack this hash offline in order to successfully login to the server.

References (1)

[Third Party Advisory] https://raw.githubusercontent.com/reidmefirst/vuln-disclosure/main/2021-02.txt

Scores

CVSS v3 9.8

EPSS 0.0036

EPSS Percentile 57.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-916

Status published

Products (20)

digi/6350-sr_firmware

digi/cm_firmware

digi/connect_es_firmware

digi/connectport_lts_8\/16\/32_firmware

digi/connectport_ts_8\/16_firmware

digi/one_ia_firmware

digi/one_iap_firmware

digi/one_iap_haz_firmware

digi/passport_integrated_console_server_firmware

digi/portserver_ts_firmware

... and 10 more

Published Oct 08, 2021

Tracked Since Feb 18, 2026