CVE-2021-40859

CRITICAL IN THE WILD NUCLEI

Auerswald COMpact 5500R <8.0B - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-40859 has been observed exploited in the wild (reported by InTheWild.io). EIP tracks 3 public exploits from researchers including RedTeam Pentesting GmbH, 419066074, pussycat0x. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a detailed advisory and analysis of backdoor accounts in Auerswald COMpact PBX devices, including the method to derive the password for the hidden 'Schandelah' user. It provides steps to extract and analyze the firmware but does not include executable exploit code.

Description

Backdoors were discovered in Auerswald COMpact 5500R 7.8A and 8.0B devices, that allow attackers with access to the web based management application full administrative access to the device.

Exploits (3)

exploitdb WRITEUP
by RedTeam Pentesting GmbH · textremotehardware
https://www.exploit-db.com/exploits/50569

This is a detailed advisory and analysis of backdoor accounts in Auerswald COMpact PBX devices, including the method to derive the password for the hidden 'Schandelah' user. It provides steps to extract and analyze the firmware but does not include executable exploit code.

Classification
Writeup 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Auerswald COMpact 5500R PBX (and other models) <= 8.0B
No auth needed
Prerequisites: Access to the web-based management interface · Knowledge of the device's serial number and current date
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 6 stars
by 419066074 · poc
https://github.com/419066074/CVE-2021-40859

This PoC exploits a backdoor vulnerability in Auerswald COMpact devices by generating default passwords based on device serial and date information, then attempting authentication. It targets versions <= 8.0B and <= 4.0S.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Auerswald COMpact 5500R and other models (versions <= 8.0B and <= 4.0S)
No auth needed
Prerequisites: Network access to the target device · Device must be running a vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by pussycat0x · poc
https://github.com/pussycat0x/CVE-2021-40859

This PoC exploits an unauthenticated endpoint in Auerswald VoIP systems to generate a backdoor password using a hardcoded algorithm involving the device's serial number and date. It then reveals credentials for the hidden 'Schandelah' account.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Auerswald COMpact 5500R PBX
No auth needed
Prerequisites: Network access to the target device · Unauthenticated access to the '/about_state' endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Auerswald COMpact 5500R 7.8A and 8.0B Devices Backdoor
CRITICALby pussycat0x
FOFA: "auerswald"

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.7198
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

InTheWild.io 2022-01-01
Status published
Products (2)
auerswald/compact_5500r_firmware 7.8a build002
auerswald/compact_5500r_firmware 8.0b build000
Published Dec 07, 2021
Tracked Since Feb 18, 2026