CVE-2021-27857
high-risk
Published 2021-12-15
A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, unauthenticated attacker to download a configuration archive. The attacker needs to know or correctly guess the hostname of the target system since the hostname is used as part of the configuration archive file name. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA003.
Do I need to act?
-
0.50% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (20)
Affected Vendors
References (6)
Vendor Advisory
https://www.fatpipeinc.com/support/cve-list.php
Third Party Advisory
https://www.zeroscience.mk/codes/fatpipe_configdl.txt
Third Party Advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php
Vendor Advisory
https://www.fatpipeinc.com/support/cve-list.php
Third Party Advisory
https://www.zeroscience.mk/codes/fatpipe_configdl.txt
Third Party Advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php
58
/ 100
high-risk
Severity
26/34 · High
Exploitability
2/34 · Minimal
Exposure
30/34 · Critical