CVE-2021-20090

What is Arcadyan Firmware?

Arcadyan Technology Corporation is a Taiwan-based manufacturer that produces the firmware and hardware used in routers sold under many different brand names by ISPs and consumer electronics companies worldwide. When Arcadyan firmware contains a security vulnerability, it affects all devices from all the OEM manufacturers that use it — creating a supply-chain vulnerability affecting millions of devices across dozens of brands simultaneously. CVE-2021-20090 is an example of this pattern: a single path traversal bug in Arcadyan's firmware base affected devices sold by Buffalo, Verizon, BT, Sky, Telstra, Deutsche Telekom, and many other ISP-branded or white-label router products.

Overview

CVE-2021-20090 is a path traversal vulnerability (CWE-22) in the web server component of Arcadyan firmware used in routers from multiple manufacturers. The web server fails to properly sanitize path traversal sequences (../) in URL paths, allowing an unauthenticated attacker to bypass the router's authentication requirement and directly access sensitive files and administrative functionality. Tenable Research (Evan Grant) discovered the vulnerability, which affects routers from at least a dozen manufacturers using Arcadyan's firmware base. Mirai botnet variants began exploiting the vulnerability within days of public disclosure in August 2021, mass-recruiting vulnerable routers as botnet nodes.

Affected Versions

Technical Details

The Arcadyan firmware web server processes HTTP requests for the router management interface. URL path handling in the CGI handler does not adequately filter traversal sequences:

• Root cause: Path traversal (CWE-22) — the web server fails to normalize URL paths before applying access controls, allowing ../ sequences to escape the web root and access files in protected directories
• Authentication bypass: The web server enforces authentication for certain URL prefixes (e.g., /cgi-bin/) but the path traversal allows accessing these paths via a traversal sequence from an unauthenticated prefix (e.g., /%2F../cgi-bin/ or similar)
• Sensitive file access: An unauthenticated attacker can read /etc/passwd, router configuration files containing Wi-Fi passwords, PPPoE credentials (ISP authentication credentials), and administrative session tokens
• Escalation path: Extracted session tokens or credentials can be used to authenticate to the router administrative interface for full configuration control
• Authentication required: None — the path traversal is accessible before any authentication check

Discovery

Discovered by Evan Grant of Tenable Research. Tenable coordinated disclosure with Arcadyan and affected vendors before publication. Mirai botnet operators weaponized the vulnerability within days of the public advisory and proof-of-concept release.

Exploitation Context

Arcadyan firmware vulnerabilities affect a large installed base of ISP-provided routers — many end users are unable to update their routers directly and depend on their ISP to push firmware updates. In the Mirai botnet campaign following disclosure, vulnerable routers were recruited as DDoS nodes, proxy servers, and cryptomining infrastructure. ISP-branded routers are particularly exposed because users are often unaware that their router firmware can be updated, and ISPs may be slow to push updates to deployed devices.

Remediation

1. Contact your router manufacturer or ISP for a firmware update addressing CVE-2021-20090
2. For Buffalo WSR-series: check Buffalo's support site for updated firmware
3. For ISP-provided devices (Verizon, BT, Sky, Telstra, Deutsche Telekom): contact your ISP to confirm whether a firmware update has been deployed to your device
4. While awaiting firmware: disable remote management (WAN-side web interface access) to reduce attack exposure
5. If remote management cannot be disabled: use router firewall rules to restrict management interface access to LAN-only
6. Check router admin logs for unexpected external access or configuration changes