CVE-2021-35978
high-risk
Published 2021-12-10
An issue was discovered in Digi TransPort DR64, SR44 VC74, and WR. The ZING protocol allows arbitrary remote command execution with SUPER privileges. This allows an attacker (with knowledge of the protocol) to execute arbitrary code on the controller including overwriting firmware, adding/removing users, disabling the internal firewall, etc.
Do I need to act?
~
8.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (9)
Transport Dr64 Firmware
Transport Sr44 Firmware
Transport Vc74 Firmware
Transport Wr11 Firmware
Transport Wr11 Xt Firmware
Transport Wr21 Firmware
Transport Wr31 Firmware
Transport Wr41 Firmware
Transport Wr44 Firmware
Affected Vendors
References (4)
Vendor Advisory
https://digi.com
Third Party Advisory
https://raw.githubusercontent.com/reidmefirst/vuln-disclosure/main/2021-04.txt
Vendor Advisory
https://digi.com
Third Party Advisory
https://raw.githubusercontent.com/reidmefirst/vuln-disclosure/main/2021-04.txt
57
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
10/34 · Low
Exposure
15/34 · Moderate