CVE-2021-45420
CRITICAL EXPLOITED NUCLEIEmerson Dixell XWEB-500 Firmware - Unauthenticated Arbitrary File Write via logo_extra_upload.cgi
Title source: llmExploitation Summary
CVE-2021-45420 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerability in /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and /cgi-bin/lo_utils.cgi. An attacker will be able to write any file on the target system without any kind of authentication mechanism, and this can lead to denial of service and potentially remote code execution. Note: the product has not been supported since 2018 and should be removed or replaced
Nuclei Templates (1)
Emerson Dixell XWEB-500 - Arbitrary File Write
CRITICALby hackerarpan
References (3)
Core 3
Core References
Vendor Advisory x_refsource_misc
http://emerson.com
Product x_refsource_misc
http://dixell.com
Exploit, Third Party Advisory x_refsource_misc
https://www.swascan.com/emerson
Scores
CVSS v3
9.8
EPSS
0.2596
EPSS Percentile
97.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2024-01-21
CWE
CWE-306
CWE-200
CWE-668
Status
published
Products (1)
emerson/dixell_xweb-500_firmware
Published
Feb 14, 2022
Tracked Since
Feb 18, 2026