Vulnerability Details : CVE-2021-30127
TerraMaster F2-210 devices through 2021-04-03 use UPnP to make the admin web server accessible over the Internet on TCP port 8181, which is arguably inconsistent with the "It is only available on the local network" documentation. NOTE: manually editing /etc/upnp.json provides a partial but undocumented workaround.
Exploit prediction scoring system (EPSS) score for CVE-2021-30127
Probability of exploitation activity in the next 30 days: 0.16%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 53 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-30127
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
|
7.3
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
3.9
|
3.4
|
NIST |
References for CVE-2021-30127
-
https://kn100.me/terramaster-nas-exposing-itself-over-upnp/
Terramaster NAS exposing itself with UPNPExploit;Third Party Advisory
-
https://news.ycombinator.com/item?id=26681984
My NAS exposes itself over the internet without permission | Hacker NewsIssue Tracking;Third Party Advisory
Products affected by CVE-2021-30127
- cpe:2.3:o:terra-master:f2-210_firmware:*:*:*:*:*:*:*:*