CVE-2021-41293
HIGH EXPLOITED NUCLEIECOA BAS controller - Path Traversal
Title source: llmExploitation Summary
CVE-2021-41293 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information.
Nuclei Templates (1)
ECOA Building Automation System - Arbitrary File Retrieval
HIGHby 0x_Akoko
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html
Scores
CVSS v3
7.5
EPSS
0.2008
EPSS Percentile
97.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
VulnCheck KEV
2024-01-22
CWE
CWE-22
Status
published
Products (3)
ecoa/ecs_router_controller-ecs_firmware
ecoa/riskbuster_firmware
ecoa/riskterminator
Published
Sep 30, 2021
Tracked Since
Feb 18, 2026